Why removing Admin from Admins

[zmxn]

To secure a database I read everywhere that I should remove Admin from
the group Admins.
But why?
I've scured a database with the wizzard and after that I put back
Admin in the group Admins.
Using the default system.mdw I don't have permission to access the
database.

 

[Rick Brandt]

To secure a database I read everywhere that I should remove Admin from
the group Admins.
But why?
I've scured a database with the wizzard and after that I put back
Admin in the group Admins.
Using the default system.mdw I don't have permission to access the
database.

But why do it? The Admin user is identical in ALL mdw files. Any permissions
you give to Admin you give to every Admin user in every workgroup file.

 

[zmxn]

But why do it? The Admin user is identical in ALL mdw files. Any permissions
you give to Admin you give to every Admin user in every workgroup file.

It's obvious that you should not give any permission to Admin. But
that has nothing to do with Admin being a member of Admins or not.
I first also thought that Admin gets implicit permission from the
group Admins.
But the group Admins in the default security.mdw is different from
your own workgroup.
Logging on to the database using the default security.mdw (and using
Admin) access gives through the SID's.
But the Admins-SID in the default security.mdw differs from the one
you created. So Admin does not get any explicit permissions.

I've tried it and I cannot find any mistakes in my thinking.
Am I wrong or not?

So the question remains:
"To secure a database I read everywhere that I should remove Admin
from
the group Admins.
But why?"

 

[Rick Brandt]

It's obvious that you should not give any permission to Admin. But
that has nothing to do with Admin being a member of Admins or not.
I first also thought that Admin gets implicit permission from the
group Admins.
But the group Admins in the default security.mdw is different from
your own workgroup.
Logging on to the database using the default security.mdw (and using
Admin) access gives through the SID's.
But the Admins-SID in the default security.mdw differs from the one
you created. So Admin does not get any explicit permissions.

I've tried it and I cannot find any mistakes in my thinking.
Am I wrong or not?

So the question remains:
"To secure a database I read everywhere that I should remove Admin
from
the group Admins.
But why?"

I thought it was because while "Admins" in the default workgroup is not the same
as the "Admins" in your secured workgroup, it still has some administrative
permissions that you do not want the user "Admin" to have. That could be
incorrect of course, but that is what I always understood to be the case.

 

[Keith Wilby]

I thought it was because while "Admins" in the default workgroup is not
the same as the "Admins" in your secured workgroup, it still has some
administrative permissions that you do not want the user "Admin" to have.
That could be incorrect of course, but that is what I always understood to
be the case.

Isn't removal of Admin from Admins just quicker and easier than leaving it
where it is and removing all of its user permissions?

Keith.

 

[zmxn]

Isn't removal of Admin from Admins just quicker and easier than leaving it
where it is and removing all of its user permissions?

Keith.

Removing Admin from Admins doesn't take away the permissions from
Admin.
I think it is perhaps more correct to remove Admin from Admins.
But the question is that everywhere there is written that it is
important to remove Admin from Admins, but I still don't see the
necessity.

 

[Joan Wild]

I've been pondering this, and I think you are correct. It isn't absolutely
necessary.

As you've said, if Admin doesn't own anything, and it has no explicit
permissions, it shouldn't matter.

That said, I would still do it. Folks trip up on security enough without
suggesting they keep Admin in the Admins Group. By taking it out, it forces
one to create a new user to be a member of this group (and own everything),
since there must be at least one member of the Admins Group.

Also, there have been quite a few people that accidentally remove the
password on the Admin user in their secure mdw. Without that, users then
get logged in as Admin - in that scenario you wouldn't want them members of
the Admins Group.

I think it's just a safety thing. Remove everything from Admin and the
Users Group.

 

[Chris Mills]

But the group Admins in the default security.mdw is different from

your own workgroup.

That's a good point, and I will come clean and admit a mistake I have made on
some of my "Secured Apps".

Before I knew much about SecFAQ and the Joan Wild's etc of this world, I
altered the DEFAULT system.mdw and MADE it to be secure.

Please don't laugh. I made it quite secure for any "normal usage". And now
that there are so many downloadable breaking programs, it doesn't seem to
matter much if there were some minor mistakes, given how easily anything can
be broken anyway by non-techo's by buying cheap hacking programs.

Perhaps, just perhaps, such advice as "removing Admin from Admins" might have
inadvertently helped me in securing an app which, I freely admit, might not
have been secured to the maximum possible extent.

None of this matters of course, if I get too depressed about "Hacking
Programs" (and organisations offering similar services).

The most repeated mantra in this newsgroup is "Access Security is NOT really
secure whatever you do". Nevertheless, I use it, and I appreciate anything to
improve it's security (however small a step for mankind)

Chris

 

[Aaron Kempf]

MDB security is worthless at best

if anything it is a PITA nothing useful

move to Access Data Projects