Security Hole in DB with User Level Access >:(

[Ryath]

Hi all,

After creating the database and specifying user as :

Admin
DataInputer
Guest

Using the Security wizard which creates a mdw and a shortcut
("C:\Program Files\Microsoft Office\Office\MSACCESS.EXE" "Q:\New DB\New DB.mdb" /WRKGRP "C:\New DB\New DB Sec.mdw&quotrelating that file to the database file, now running the shortcut would prompt for the user name and password.... BUT when i run the actual database file New DB.mdb it DOESNOT prompt a username or password and enters it immediately in ADMIN MODE!!!!
Helppp!!!

This is not such a good discovery

Suppose its better that i found it first before anyone else.

Thx Will

 

[thornmastr]

As you have learned much to your chagrin, the security wizard is fallible, or is that fail able?
The answer to your problem is you’ve done it wrong. Find the Access Security white paper for your version of Access. It is on MSKB. Download it and memorize pages 2 – 31. at least read it twice. Before starting to assign security to your database, back up both your database and the standard system.mdw. you don’t want to mess up either.

Your first attempt to implement security, even with the white paper you will probably miss a salient point or two with the result that (1) You may have no security at all, or (2) Your security is so good that you can’t even get into the database. That’s what the backups are for.

After you do get security working correctly, understand that even Microsoft admits that ACCESS security is very breakable by someone who knows a great deal about Access. There is software available to cut through Access security very easily, but it is better than nothing or home grown security.

Robert Berman

 

[RickSpr]

Bob,

The Access 97 Security Wizard was certainly easy to screw up with, but I found the Access 2000 wizard much more reliable. Perhaps that was because I'd already learned a lot about security by the time 2000 came out. Would you say the 2000 wizard was also "fail able", and if so, is it because it's still too easy to screw up if you don't understand Access security, or because it doesn't cover enough ground?

I'm asking because I've thought of it as almost foolproof, and if it really isn't I should be more careful to alert people to the potential mistakes they could make with it. Rick Sprague

 

[Rhonin]

Access Security is good but like previous versions a knowledgable person can cut right through it.

Home-grown vs. Built-in

Either way you look at it something is better than nothing. I have found a combination of both works the best. A point to always keep in mind (if you are building this for the company you work for) is can future admin gain access to all areas he/she needs in time of crisis?

Rhonin

 

[thornmastr]

Rick,

Strangely, I felt more secure with A97 security than with the A2K series of security implementation. As it turns out, both are far superior to what was available under A95. The security schema has been broken. Serge Gavrilov, I think was the first to not only crack it but to write software to force security to give up all its information. I have some utilities from him which, with all versions of Acess97 forward simply gives you the groups, members of groups, and their passwords. Given all of this, the Access security schema is much better than any home grow variety I have ever seen. Besides, if any of your users cracks the security, you can always shoot them.

Robert Berman

 

[RickSpr]

Bob,

Yes, I knew that Access security had been broken, though I didn't know how thoroughly. But for most purposes, I don't consider that a problem, because any employee who downloads and applies a tool in order to break in can be prosecuted on the basis of the extraordinary efforts they took.

What I was really asking about was how foolproof you felt the A2K wizard is. Rick Sprague

 

[thornmastr]

Rick,

I don't think the security wizard is reliable at all. I make up check list from the security white paper and use that.

Robert Berman