unsecure secure database

[Matthew Reed via AccessMonster.com]

I followed ALL the steps for the Security FAQ for Access for a database,
although I am running Access2002 and using a 2000 file format.

I created a workgroup, created myself as a user and added myself to the
Admins group, added a password to my own account, removed the admin user
from the Admins group, ran the Security Wizard, and created a new database
while logged in as myself and importing all db objects into it. Then I
tried a simple test and put the db out on the network and had a user test
to see if he could open it. He has NOT joined the workgroup I created.

Guess what? The db is wide open! It doesn't ask for a password, he can
open it, edit data, delete stuff, etc.

Please don't tell me to run the workgroup administrator for this user --
the whole point is that anyone who hasn't run the workgroup administrator
could open this file. Am I doing something wrong, or is this expected
behavior?

 

[Anno v. Heimburg]

I created a workgroup, created myself as a user and added myself to the
Admins group, added a password to my own account, removed the admin user
from the Admins group, ran the Security Wizard, and created a new database
while logged in as myself and importing all db objects into it.

Ah, yes, but did you remove all priviliges from the Admin user and the Users
group?

Anno.

 

[Matthew Reed via AccessMonster.com]

FAQ says nothing about removing permissions from the admin USER, it says to
remove the admin user from the Admins group. That may be my problem, I'll
try it. Step 8 says that the Security Wizard removes all permissions from
the User group also, so if it does what it says, yes, that step has been
done.

Thanks for the input. I'll try removing rights from the Admin USER,
although you generally don't add/remove rights for ANY user -- you
generally assign rights to groups and add user to those groups.

Tricky stuff. I'll keep playing. Thanks.

Matt

 

[Joan Wild]

FAQ says nothing about removing permissions from the admin USER, it says
to
remove the admin user from the Admins group. That may be my problem, I'll
try it. Step 8 says that the Security Wizard removes all permissions from
the User group also, so if it does what it says, yes, that step has been
done.

Thanks for the input. I'll try removing rights from the Admin USER,
although you generally don't add/remove rights for ANY user -- you
generally assign rights to groups and add user to those groups.

Tricky stuff. I'll keep playing. Thanks.

Yes it is tricky stuff. You cannot omit a single step (nor phrase) in the
FAQ.
You said....
I created a workgroup, created myself as a user and added myself to the
Admins group, added a password to my own account,

those steps alone are not sufficient. Originally you are logged in as
Admin, how did you change the password to your account?

removed the admin user

from the Admins group, ran the Security Wizard,

at this point?


It is vital that you implement the steps exactly as outlined, not missing a
single step/phrase.

 

[Guest]

Did you put a password on Admin?
Security is not complete until the Admin user is passworded

 

[Matthew Reed via AccessMonster.com]

Thanks Joan! I had already done one of the things you caught in my
incomplete description of my actions. I added a password to my Matt
account by logging in as Matt. The admin user already had a password from
Step 3.

I didn't understand your second question. Step 5 -- I logged in as Matt (I
was already added to the admin group). I created a password for the Matt
account. Step 6 -- I removed admin user from Admins group. Step 7 -- it
doesn't say who to log in as, but I assumed it should be the new user
account with admin privileges (Matt). Step 8 doesn't say who to log in as
either, but I logged in as Matt and ran the Security Wizard.

So I guess I did run the Security Wizard at the point you said. Correct?

Matt

 

[Matthew Reed via AccessMonster.com]

Yes, I did. Forgot to mention that. That's the first thing I did.

Thanks!

 

[Joan Wild]

So I guess I did run the Security Wizard at the point you said. Correct?

Yes you did it right. Now that we have that clear you also said...

"ran the Security Wizard, and created a new database
while logged in as myself and importing all db objects into it. Then I
tried a simple test and put the db out on the network and had a user test
to see if he could open it. He has NOT joined the workgroup I created."

After running the security wizard, why did you create a new database and
import all the db objects? The permissions would not come with the imported
objects, so it makes sense that your test allowed the user to get in.

Joan Wild
Microsoft Access MVP

 

[Matthew Reed via AccessMonster.com]

Did make some progress on this. Thanks!

To answer your question --- Step 10 talks about how in Access 2000 the
Security Wizard is supposed to remove the open/run database permissions,
but "it is possible to open a database using the default workgroup
information file regardless of settings. The cure for both verions of
Access is to create a new, empty database while logged on as a member of
the Adminbs group and import all the objects from the secutiy-enhanced
database."

I've been assigning permissions in the new database (I did not assign any
in the old). I think I'm getting closer -- I removed the delete data
rights from a table in the database, put it out on the network, and even
though someone could open the database, they couldn't delete any data in
the table. I'll go through the rest of the tables and assign rights.

Thanks Joan!

 

[Joan Wild]

Did make some progress on this. Thanks!

To answer your question --- Step 10 talks about how in Access 2000 the
Security Wizard is supposed to remove the open/run database permissions,

I thought you were using 2002.

I've been assigning permissions in the new database (I did not assign any
in the old). I think I'm getting closer -- I removed the delete data
rights from a table in the database, put it out on the network, and even
though someone could open the database,

Remove permissions on the database object for the Users Group - they
shouldn't have any permissions on the database object.

 

[Matthew Reed via AccessMonster.com]

I am on 2002 using the 2000 file format. Some of my users are still on
2000. Is that problem fixed in 2002?

Matt

 

[Joan Wild]

I am on 2002 using the 2000 file format. Some of my users are still on
2000. Is that problem fixed in 2002?

Yes it is.

 

[Guest]

If users can access it without joining the Workgroup one of two things is
happening
1. There is one or more common usernames (and ID) between the two workgroups
which does have permissions
2. The user is using a shortcut with the /wrkgrp parameter set (but should
still have to log on)

What permissions does the Users group have to the database in the new
workgroup? This is significant as the USER Admin is a member of the Users
group.
Terry