Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Super .mdw file surpasses all security 8

Status
Not open for further replies.
AcquisitiveOne

AcquisitiveOne

Technical User
Nov 28, 2000
55
0
0
US
I have setup a workgroup for a specific database that I have created. The permissions work great for each user but for some reason if the user uses the system.mdw file it will surpass all security for that database file and the user will be allowed full access. I understand that the admin password needed to be changed in order for this not to happen and i even assigned the admin user to not have any permissions to the database (not even be able to open it). Still the user can get in the database. The weird thing is that on 2 of my computer the system.mdw is located in C:\Program Files\Common Files\SYSTEM and it will surpass all security. On other computers the system.mdw file is located C:\Windows\System\ system.mdw and when you try and open the database with using this workgroup it will say do not have permissions to view database. Some computers have two system.mdw files one in C:\Windows\System\ (this file wont pass security) and one file in C:\Program Files\Microsoft Office\Office\System.mdw (this one will pass security). So my question is why is it doing that. If anyone who isn't in my workgroup happens to be by default assigned to this workgroup they can get in my database. But since there are two mdws how do i know if the security is working please help. Cuz this is making me frustrated! %-(
 
Sort by date Sort by votes
You missed some of the literature. You ALSO need to have the security file to NOT be named "System.MDW". This is fairly extensively documented in numerous books/articles ... discussions on Ms. Access Security. It is the Achillies HEEL of an otherwise execllent exampe of abject obsfucation.



MichaelRed
mred@duvallgroup.com
There is never time to do it right but there is always time to do it over
 
Upvote 0 Downvote
Michael, I have used Access security many times, but I never ran across a problem related to the name of the workgroup file. Rather, I've had this problem because the person setting up security started with a copy of the System.mdw as installed with Access, rather than creating a new workgroup file with a unique Workgroup ID. It winds up having the same Security ID as the default workgroup then. So when a user using an unmodified default system.mdw logs on, the database accepts the SID, and the default Users group has all permissions.

Are you sure there's an issue with just having the name "system.mdw"? Can you point me to any documentation on this? Rick Sprague
 
Upvote 0 Downvote
Ignore my explanation about the default Users group having all permissions--the analysis was flawed. But I'm still interested in documentation of the name issue. Rick Sprague
 
Upvote 0 Downvote
Rick,

I cannot recall exactly where I ran across this info. I do rember the rationale. If the security database (.MDW) has the default name ("system.Mdw"), then reference to any System.MDW is an appropiate refernce to the security database. Since Ms. Access looks for the security database and uses whatever info it finds, a sefault system.MDW would appear to allow all users to hace all permissions for all objects. Efectively resulting in an 'unsecured' database. I am pretty sure I have actually encountered this at a previous job. A user received an upgrade machine, and had default software installations. I had set the secutity file to system.mdw - on a server - however the installation of access switched the reference to the local defalut system.mdw and the user suddenly had all access rights to all objects. Thankfully, the user was quite suprised by this and asked why he suddenly had the capability to do things in the app which he knew were not part of his normal duties. Still took me a while to find the answer and 'fix' the problem.

It is possible that I am doing more than necessary in this, but I have always used a different name for the security file since that job.



MichaelRed
mred@duvallgroup.com
There is never time to do it right but there is always time to do it over
 
Upvote 0 Downvote
The name of our security file is not system.mdw we created a new one and titled it security.mdw so i don't think thats the problem. Plus like I said one system.mdw will give full access while the other system.mdw won't. I never created a file named system.mdw. The default one will work when its in C:\Program Files\Common Files but will not work when it is in C:\Windows\System. I have one computer that actually has two system.mdw's on it. I never modified it or added a system.mdw to this computer either. One of the system.mdw gives full access. While the other with the exact same name (although in a different location) dosent give any access to the file. It is wierd b/c they are both system.mdw's and only one will pass through security. They should be part of a different workgroup called security.mdw that is on the network. If they are a part of this workgroup the security works. But how can i tell if a new user will automatically be allowed full access when a default system.mdw works in one location and not the other. Please Help!!! I don't understand and i have read numerous books.
 
Upvote 0 Downvote
I tested the theory with a properly secured database and an associated workgroup that I renamed to system.mdw. I was not given access. Michael, I strongly suspect that your experience, and that reported in what you read, was a result not of the file name but of the fact that the workgroup file either started out as a copy of the default system.mdw, or was created with the same Workgroup ID and Organization name as the default system.mdw. This is known to leave the very hole that Acquisitive One is experiencing. The common naming was coincidental and not essential.

Acquisitive One: The easiest way to fix the problem will be to start with a backup copy of your unsecured database and use the Access User-Level Security Wizard. Follow the instructions very carefully. (The Access 2000 wizard is much more bulletproof; Access 97's wizard will let you screw yourself.)

If that's entirely impractical, say so and I'll give you a procedure to do it manually. But it's very tricky, and has to be done exactly right, so use the wizard if you can. Rick Sprague
 
Upvote 0 Downvote
I didn't think anything about Access 97 security was well doumented. Everything I've learned had to be scouted out or learned by experience. Most books give a short 2-3 page account of it. This is good information.

Steve King
 
Upvote 0 Downvote
Access security is driving me crazy. I want to get rid of access security and mdw files and all and depend on NT shares and permissions to protect the databases. How can I get rid of the access security and stop the clients from having to log on to an mdw file?

 
Upvote 0 Downvote
The thread is already big so I try to make it short:

1. ACCESS security is 99% safe if it is properly set up.
2. The name of the MDW has no importance at all
3. You need a new admin GROUP
4. Delete all rights from the standard admin and users (both users AND group).
5. If you deliver a MDW containing a "real" admin then remember that hack programs for 50$ can read usernames and passwords from the MDW. Use the "double MDW system" to add the missing 1% to the 99%.
6. Always lock the maintenance admin (relinking, user administration...) into a "Prison form".
7. NT security is not applicable on database objects inside the MDB/MDE files.
 
Upvote 0 Downvote
Teasing hints. What is "the double mdw system", what exactly are the criteria for a prison form? Is there a reference book where this info can be found ?
Please tell us more.
 
Upvote 0 Downvote
1. "Double MDW system":
Developer-MDW: Contains all users including Developer (no restrictions)
User-MDW: contains all users without Developer but with LimitedAdmin (who will be locked in frmPrison like described before).
2. frmPrison:
OnClose: Application.quit
Popup/Modal: stays always on top
Block the minimize button
Test intensively if it is REALLY safe
3.
The reference book for both techniques (plus a couple of others) is situated between my ears.

Happy programming!

Francescina
 
Upvote 0 Downvote
I'm about a meg and a half behind you guys. I can't even get into a file I've been given full access to... there's something fundamental I dont understand.
Back in Access97 days I used wgadmin to join workgroups but now I'm on W2k and it won't even give me the time of day!
Another user, a member of the AES workgroup on a NT system applied security to an Access database and gave me admin rights. I joined the AES workgroup but when I call up the database I get "You do not have necessary permissions..." I don't even get to enter my username/password. I think there's something REALLY BASIC I'm missing. Any hints?
 
Upvote 0 Downvote
Off the top (and it is a LOW top), I can only suggest that the workgroup file is not accessible to you (path not in an area you can access) when yyou attempt to log on. Since you were able to "join" the workgroup, this appears to be not the problem.

AFAIK, the workgroup administration has not changed between '97 and 2K. If you are not even given the prompt, it MIGHT be that you have the workgroup specified in a desktop shortcut -AND- it is specified incorrectly?

MichaelRed
mred@att.net

There is never time to do it right but there is always time to do it over
 
Upvote 0 Downvote
RickSpr, I would be interested in your procedure for manually securing a database.
 
Upvote 0 Downvote
Basically, you MUST belong to SOME workgroup to use Ms. A. "Unjoining" would have to be to "JOIN" some other workgroup - or not using Ms. A at all

MichaelRed
m.red@att.net

There is never time to do it right but there is always time to do it over
 
Upvote 0 Downvote
Hi All, I am having a heck of a time getting this security to work, The thing is I can implement the user-level security sucessfully on my pc, but those who are on the network can go righttot he server into the application and start it, bypassing the password logon box. I have read numerous things and have went step, by step with the instructions on this site as well as others, if you have any information on how I can get the securities to work outside of my pc and on other machines on the network, PLEASE PLEASE PLEASE HELP!!!!!!!!
 
Upvote 0 Downvote
AcquisitiveOne - Just a thought. I have never had any problems with security, so I have never had to go very deep other into it other than using setting up the permissions. But, have you ever upgraded your systems from one version of Access to another? Perhaps one of these .mdw files is for a prior version of Access - again, just a shot in the dark.

Francescina - Great input on the security. It sounds like you have had a good deal of experience with it. Would you consider writing an FAQ detailing some the items you have mentioned here. I am sure it would be greatly appreciated.

Jay
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iamchemist
  • Locked
  • Question
Windows 10 Security/Access Issue
Replies
5
Views
81
dhookom
dhookom
TheresAlwaysAWay
  • Locked
  • Question
Searching for a way to get Access to retrieve and use data from a hard drive file not within Access 3
Replies
13
Views
111
TheresAlwaysAWay
TheresAlwaysAWay
JerryR
  • Locked
  • Question
Access 365 - Only allow one user to open 1
Replies
5
Views
65
JerryR
JerryR
lameid
  • Locked
  • Question
Print To File With Adobe PDF Printer
Replies
0
Views
38
lameid
lameid
puforee
  • Locked
  • Question
6 linked tables. View All, and change data
Replies
9
Views
83
Darrylles
Darrylles

Part and Inventory Search

Sponsor

Back
Top