• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

A97: Prevent users from attaching to your secured tables.

Background:
1. We have a split application.  It is a ?data? mdb and an ?application? mdb.  For clarity, lets name them myAppl.mdb and myData.mdb (myAppl links to myData)
2. Our clients have the same icon with the following properties "C:\.\MSACCESS.EXE"  /User GUser /wrkgrp j:\SYSTEM.MDW j:\myAppl.mdb
3. We have read a variety of MSDN articles but they don?t appear to address our Goal/Issue ( the ?Version 2.41? of article 165009 ?Microsoft Access Security FAQ?, etc)

Goal/Issue
1. Create a Generic User (id=GUser) such that GUser can read, update, delete data (via myAppl), but they cannot create an MDB and attach myData* and modify the tables directly.

To illustrate the problem of Goal/Issue above there is a loophole in Access97 security.
If I create a shortcut with the following command line parms;
1.  a reference to the 'live' mdw
2.  a valid ID for that mdw*
3.  and an INVALID mdb
  ....access will prompt you for a new mdb and then you can attach to the data (ie. Since you have successfully joined the correct MDW with a valid ID).

Is it possible, in the ?start up? code, to change the user who is logged in?  What we are thinking is that our command line string would contain a ?user? who has read-only access.   Within our ?startup? we could then log in as the user who has the proper rights.  In short, our ?real? user will then be ?concealed? from the end user.
 thanks in advance,Joe

ps.  Special challenge to you out there.  A first level Microsoft Support Engineer has said you can?t do it.
0
jabraham54
Asked:
jabraham54
1 Solution
 
Jim Dettman (Microsoft MVP/ EE MVE)PresidentCommented:
Well let's start off with the fact that Access is by no means secure.

A web search will yield several cracking tools that can be used to read all the user accounts and groups and thier passwords.

<<Is it possible, in the start up code, to change the user who is logged in?  What we are thinking is that our command line string would contain a user who has read-only access.   Within our startup we could then log in as the user who has the proper rights.  In short, our real user will then be concealed from the end user.
thanks in advance,Joe>>

  Yes and no.  When you login with a user/pswd, that's the credentials that Access uses for the default workspace, which is used for opening all objects (forms/reports).

  You can open another workspace in code with another username/pswd and then do some things with it, but forms and reports will still open under the default workspace.

<<1. Create a Generic User (id=GUser) such that GUser can read, update, delete data (via myAppl), but they cannot create an MDB and attach myData* and modify the tables directly. >>

  That's covered in the Security FAQ.

<<To illustrate the problem of Goal/Issue above there is a loophole in Access97 security.
If I create a shortcut with the following command line parms;
1.  a reference to the 'live' mdw
2.  a valid ID for that mdw*
3.  and an INVALID mdb
 ....access will prompt you for a new mdb and then you can attach to the data (ie. Since you have successfully joined the correct MDW with a valid ID).>>

 I would not call that a "loophole" as you provided proper credentials.  Remember, authorization occurs at the workspace level,  not at the database level.  The way security is designed is that a given login can access multiple MDBs.  So there is nothing wrong here.

  The part you missed is securing the tables in the BE.  Read the FAQ.

<<ps.  Special challenge to you out there.  A first level Microsoft Support Engineer has said you cant do it. >>

 Why you asking the question then?

Jim.






 
0
 
jabraham54Author Commented:
Jim,
Thank you for your response.

Your last question first; ‘Why are you asking the question then?”

I could bore you with the multiple responses that we have received from the Microsoft Support Engineer (MSE).  While he has been quite genuine in his effort to solve the problem, the multiple correspondences over the last 10 days have led myself, and another work associate, to believe this person does not have much understanding of the issues at hand.  

In short, I am asking the question because I believe someone out there has conquered this dilemma.

Second, we can debate all day.  But, I believe that it IS a loophole whereby I can take parms from a shortcut and use them to link to raw data tables.

Third, I am confused by your statement “That's covered in the Security FAQ”.  I believe you were responding to my goal which is NOT addressed in the FAQ.  In other words, if it’s in there, then I don’t have a problem (Jim, I am NOT trying to be ‘smart’ with my statement, but just trying to articulate my confusioin with your response).

Fourth, I understand there exist ‘cracking’ tools and nothing is totally secure.  I am just looking for a solution that will help me 99% of the time (i.e. cannot link to my tables).

Lastly, I am new at this site.  If the answer to my issues is ‘there is no answer’, then I still award the points?

Thanks Jim, Joe
0
 
Jim Dettman (Microsoft MVP/ EE MVE)PresidentCommented:
<<I could bore you with the multiple responses that we have received from the Microsoft Support Engineer (MSE).  While he has been quite genuine in his effort to solve the problem, the multiple correspondences over the last 10 days have led myself, and another work associate, to believe this person does not have much understanding of the issues at hand.  >>

 OK<g>.

<<Second, we can debate all day.  But, I believe that it IS a loophole whereby I can take parms from a shortcut and use them to link to raw data tables.>>

  But if you were secured properly that would not be able to happen.  We'll talk about that in a minute.

<<Third, I am confused by your statement That's covered in the Security FAQ.  I believe you were responding to my goal which is NOT addressed in the FAQ.  In other words, if its in there, then I dont have a problem (Jim, I am NOT trying to be smart with my statement, but just trying to articulate my confusioin with your response).
>>

  Understood.  Here's the link to the FAQ:

http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp

  Your problem with linking tables is covered under question #18.  #10-#17 also apply, but not specifically as they discuss the whole topic in general.

 Give it a read a couple times (yes I know it's very confusing) and then bounce back with questions. Basically your going to remove all permissions on the tables and all table access via queries setup with "Run with owner permissions"

<<Fourth, I understand there exist cracking tools and nothing is totally secure.  I am just looking for a solution that will help me 99% of the time (i.e. cannot link to my tables).>>

  Just be aware their out there.  Any savy user can get around anything you can do with security in about 15 minutes.

<<Lastly, I am new at this site.  If the answer to my issues is there is no answer, then I still award the points?>>

 Well first, welcome!  I hope you find EE is everything you expect and then some.  We've got a bunch of new experts in the TA (topic area) so a lot of folks are still getting the feel of the question/response format.

  Part of getting a good answer is asking a good question. You did a great job first time around detailing out your question: enough info to get started but not a ton of details to read through.

  Many forget things like stateing version, OS in use, is this a recent problem?, etc, which causes you to have a few go arounds sometimes.  Also don't get discouraged if it seems like your not making headway with an expert.  Sometimes it's simply not obvious to the other person what is being asked.  Some threads just take a little extra effort.

 As for the points, generally yes, but you may decide to reduce them.  The thinking is basically this:

  Someone took the time to answer your question and often, it's a considerable amount of time before you get to the point of "no answer".    In others it can be a very quick "nope you can't do that".

  Points can always be adjusted up or down, but it's easier to go up.  So for something like this, start with a 50 pointer and ask "can this be done?" if the answer is yes, then you can increase the points for a complete solution.  You can also raise them if you feel the expert has really tried, but the end result is not what you want.

  Just as asking a good question here is something you learn, so is the use of the points system.  Some feel it gets in the way, but it serves many uses, such as keeping the "noise" level down (i.e. newsgroups).  Questions tend to be focused and of importance to the questioner, usually something there working on right then.  That's were EE shies compared to other sites.

  It's not the PAQ (Previously Asked Questions) but the "one on one" that really helps you out.  Usually you can get a question answered in less then an hour and at most generally a day.

  Whew<g>...sorry to rattle on.
Jim.
0
 
1WilliamCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept question, refund points
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
1William
EE Cleanup Volunteer
0
 
SpideyModCommented:
PAQ'd and points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now