?
Solved

A97: Prevent users from attaching to your secured tables.

Posted on 2003-02-27
5
Medium Priority
?
207 Views
Last Modified: 2008-02-07
Background:
1. We have a split application.  It is a ?data? mdb and an ?application? mdb.  For clarity, lets name them myAppl.mdb and myData.mdb (myAppl links to myData)
2. Our clients have the same icon with the following properties "C:\.\MSACCESS.EXE"  /User GUser /wrkgrp j:\SYSTEM.MDW j:\myAppl.mdb
3. We have read a variety of MSDN articles but they don?t appear to address our Goal/Issue ( the ?Version 2.41? of article 165009 ?Microsoft Access Security FAQ?, etc)

Goal/Issue
1. Create a Generic User (id=GUser) such that GUser can read, update, delete data (via myAppl), but they cannot create an MDB and attach myData* and modify the tables directly.

To illustrate the problem of Goal/Issue above there is a loophole in Access97 security.
If I create a shortcut with the following command line parms;
1.  a reference to the 'live' mdw
2.  a valid ID for that mdw*
3.  and an INVALID mdb
  ....access will prompt you for a new mdb and then you can attach to the data (ie. Since you have successfully joined the correct MDW with a valid ID).

Is it possible, in the ?start up? code, to change the user who is logged in?  What we are thinking is that our command line string would contain a ?user? who has read-only access.   Within our ?startup? we could then log in as the user who has the proper rights.  In short, our ?real? user will then be ?concealed? from the end user.
 thanks in advance,Joe

ps.  Special challenge to you out there.  A first level Microsoft Support Engineer has said you can?t do it.
0
Comment
Question by:jabraham54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 58
ID: 8033711
Well let's start off with the fact that Access is by no means secure.

A web search will yield several cracking tools that can be used to read all the user accounts and groups and thier passwords.

<<Is it possible, in the start up code, to change the user who is logged in?  What we are thinking is that our command line string would contain a user who has read-only access.   Within our startup we could then log in as the user who has the proper rights.  In short, our real user will then be concealed from the end user.
thanks in advance,Joe>>

  Yes and no.  When you login with a user/pswd, that's the credentials that Access uses for the default workspace, which is used for opening all objects (forms/reports).

  You can open another workspace in code with another username/pswd and then do some things with it, but forms and reports will still open under the default workspace.

<<1. Create a Generic User (id=GUser) such that GUser can read, update, delete data (via myAppl), but they cannot create an MDB and attach myData* and modify the tables directly. >>

  That's covered in the Security FAQ.

<<To illustrate the problem of Goal/Issue above there is a loophole in Access97 security.
If I create a shortcut with the following command line parms;
1.  a reference to the 'live' mdw
2.  a valid ID for that mdw*
3.  and an INVALID mdb
 ....access will prompt you for a new mdb and then you can attach to the data (ie. Since you have successfully joined the correct MDW with a valid ID).>>

 I would not call that a "loophole" as you provided proper credentials.  Remember, authorization occurs at the workspace level,  not at the database level.  The way security is designed is that a given login can access multiple MDBs.  So there is nothing wrong here.

  The part you missed is securing the tables in the BE.  Read the FAQ.

<<ps.  Special challenge to you out there.  A first level Microsoft Support Engineer has said you cant do it. >>

 Why you asking the question then?

Jim.






 
0
 

Author Comment

by:jabraham54
ID: 8034558
Jim,
Thank you for your response.

Your last question first; ‘Why are you asking the question then?”

I could bore you with the multiple responses that we have received from the Microsoft Support Engineer (MSE).  While he has been quite genuine in his effort to solve the problem, the multiple correspondences over the last 10 days have led myself, and another work associate, to believe this person does not have much understanding of the issues at hand.  

In short, I am asking the question because I believe someone out there has conquered this dilemma.

Second, we can debate all day.  But, I believe that it IS a loophole whereby I can take parms from a shortcut and use them to link to raw data tables.

Third, I am confused by your statement “That's covered in the Security FAQ”.  I believe you were responding to my goal which is NOT addressed in the FAQ.  In other words, if it’s in there, then I don’t have a problem (Jim, I am NOT trying to be ‘smart’ with my statement, but just trying to articulate my confusioin with your response).

Fourth, I understand there exist ‘cracking’ tools and nothing is totally secure.  I am just looking for a solution that will help me 99% of the time (i.e. cannot link to my tables).

Lastly, I am new at this site.  If the answer to my issues is ‘there is no answer’, then I still award the points?

Thanks Jim, Joe
0
 
LVL 58
ID: 8035482
<<I could bore you with the multiple responses that we have received from the Microsoft Support Engineer (MSE).  While he has been quite genuine in his effort to solve the problem, the multiple correspondences over the last 10 days have led myself, and another work associate, to believe this person does not have much understanding of the issues at hand.  >>

 OK<g>.

<<Second, we can debate all day.  But, I believe that it IS a loophole whereby I can take parms from a shortcut and use them to link to raw data tables.>>

  But if you were secured properly that would not be able to happen.  We'll talk about that in a minute.

<<Third, I am confused by your statement That's covered in the Security FAQ.  I believe you were responding to my goal which is NOT addressed in the FAQ.  In other words, if its in there, then I dont have a problem (Jim, I am NOT trying to be smart with my statement, but just trying to articulate my confusioin with your response).
>>

  Understood.  Here's the link to the FAQ:

http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp

  Your problem with linking tables is covered under question #18.  #10-#17 also apply, but not specifically as they discuss the whole topic in general.

 Give it a read a couple times (yes I know it's very confusing) and then bounce back with questions. Basically your going to remove all permissions on the tables and all table access via queries setup with "Run with owner permissions"

<<Fourth, I understand there exist cracking tools and nothing is totally secure.  I am just looking for a solution that will help me 99% of the time (i.e. cannot link to my tables).>>

  Just be aware their out there.  Any savy user can get around anything you can do with security in about 15 minutes.

<<Lastly, I am new at this site.  If the answer to my issues is there is no answer, then I still award the points?>>

 Well first, welcome!  I hope you find EE is everything you expect and then some.  We've got a bunch of new experts in the TA (topic area) so a lot of folks are still getting the feel of the question/response format.

  Part of getting a good answer is asking a good question. You did a great job first time around detailing out your question: enough info to get started but not a ton of details to read through.

  Many forget things like stateing version, OS in use, is this a recent problem?, etc, which causes you to have a few go arounds sometimes.  Also don't get discouraged if it seems like your not making headway with an expert.  Sometimes it's simply not obvious to the other person what is being asked.  Some threads just take a little extra effort.

 As for the points, generally yes, but you may decide to reduce them.  The thinking is basically this:

  Someone took the time to answer your question and often, it's a considerable amount of time before you get to the point of "no answer".    In others it can be a very quick "nope you can't do that".

  Points can always be adjusted up or down, but it's easier to go up.  So for something like this, start with a 50 pointer and ask "can this be done?" if the answer is yes, then you can increase the points for a complete solution.  You can also raise them if you feel the expert has really tried, but the end result is not what you want.

  Just as asking a good question here is something you learn, so is the use of the points system.  Some feel it gets in the way, but it serves many uses, such as keeping the "noise" level down (i.e. newsgroups).  Questions tend to be focused and of importance to the questioner, usually something there working on right then.  That's were EE shies compared to other sites.

  It's not the PAQ (Previously Asked Questions) but the "one on one" that really helps you out.  Usually you can get a question answered in less then an hour and at most generally a day.

  Whew<g>...sorry to rattle on.
Jim.
0
 
LVL 18

Expert Comment

by:1William
ID: 8772106
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept question, refund points
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
1William
EE Cleanup Volunteer
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8819981
PAQ'd and points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
The Windows Phone Theme Colours is a tight, powerful, and well balanced palette. This tiny Access application makes it a snap to select and pick a value. And it doubles as an intro to implementing WithEvents, one of Access' hidden gems.
In Microsoft Access, learn the trick to repeating sub-report headings at the top of each page. The problem with sub-reports and headings: Add a dummy group to the sub report using the expression =1: Set the “Repeat Section” property of the dummy…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question