 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
MS Access Forum / Security / May 2007Why removing Admin from Admins
To secure a database I read everywhere that I should remove Admin from the group Admins. But why? I've scured a database with the wizzard and after that I put back Admin in the group Admins. Using the default system.mdw I don't have permission to access the database. > To secure a database I read everywhere that I should remove Admin from > the group Admins. [quoted text clipped - 3 lines] > Using the default system.mdw I don't have permission to access the > database. But why do it? The Admin user is identical in ALL mdw files. Any permissions you give to Admin you give to every Admin user in every workgroup file.  SignatureRick Brandt, Microsoft Access MVP Email (as appropriate) to... RBrandt at Hunter dot com > > To secure a database I read everywhere that I should remove Admin from > > the group Admins. [quoted text clipped - 11 lines] > Email (as appropriate) to... > RBrandt at Hunter dot com It's obvious that you should not give any permission to Admin. But that has nothing to do with Admin being a member of Admins or not. I first also thought that Admin gets implicit permission from the group Admins. But the group Admins in the default security.mdw is different from your own workgroup. Logging on to the database using the default security.mdw (and using Admin) access gives through the SID's. But the Admins-SID in the default security.mdw differs from the one you created. So Admin does not get any explicit permissions. I've tried it and I cannot find any mistakes in my thinking. Am I wrong or not? So the question remains: "To secure a database I read everywhere that I should remove Admin from the group Admins. But why?" > It's obvious that you should not give any permission to Admin. But > that has nothing to do with Admin being a member of Admins or not. [quoted text clipped - 15 lines] > the group Admins. > But why?" I thought it was because while "Admins" in the default workgroup is not the same as the "Admins" in your secured workgroup, it still has some administrative permissions that you do not want the user "Admin" to have. That could be incorrect of course, but that is what I always understood to be the case. SignatureRick Brandt, Microsoft Access MVP Email (as appropriate) to... RBrandt at Hunter dot com >> "To secure a database I read everywhere that I should remove Admin >> from [quoted text clipped - 6 lines] > That could be incorrect of course, but that is what I always understood to > be the case. Isn't removal of Admin from Admins just quicker and easier than leaving it where it is and removing all of its user permissions? Keith. > >> "To secure a database I read everywhere that I should remove Admin > >> from [quoted text clipped - 11 lines] > > Keith. Removing Admin from Admins doesn't take away the permissions from Admin. I think it is perhaps more correct to remove Admin from Admins. But the question is that everywhere there is written that it is important to remove Admin from Admins, but I still don't see the necessity. I've been pondering this, and I think you are correct. It isn't absolutely necessary. As you've said, if Admin doesn't own anything, and it has no explicit permissions, it shouldn't matter. That said, I would still do it. Folks trip up on security enough without suggesting they keep Admin in the Admins Group. By taking it out, it forces one to create a new user to be a member of this group (and own everything), since there must be at least one member of the Admins Group. Also, there have been quite a few people that accidentally remove the password on the Admin user in their secure mdw. Without that, users then get logged in as Admin - in that scenario you wouldn't want them members of the Admins Group. I think it's just a safety thing. Remove everything from Admin and the Users Group. SignatureJoan Wild Microsoft Access MVP > > Removing Admin from Admins doesn't take away the permissions from [quoted text clipped - 3 lines] > important to remove Admin from Admins, but I still don't see the > necessity. > But the group Admins in the default security.mdw is different from > your own workgroup. That's a good point, and I will come clean and admit a mistake I have made on some of my "Secured Apps". Before I knew much about SecFAQ and the Joan Wild's etc of this world, I altered the DEFAULT system.mdw and MADE it to be secure. Please don't laugh. I made it quite secure for any "normal usage". And now that there are so many downloadable breaking programs, it doesn't seem to matter much if there were some minor mistakes, given how easily anything can be broken anyway by non-techo's by buying cheap hacking programs. Perhaps, just perhaps, such advice as "removing Admin from Admins" might have inadvertently helped me in securing an app which, I freely admit, might not have been secured to the maximum possible extent. None of this matters of course, if I get too depressed about "Hacking Programs" (and organisations offering similar services). The most repeated mantra in this newsgroup is "Access Security is NOT really secure whatever you do". Nevertheless, I use it, and I appreciate anything to improve it's security (however small a step for mankind) Chris MDB security is worthless at best if anything it is a PITA nothing useful move to Access Data Projects > > But the group Admins in the default security.mdw is different from > > your own workgroup. [quoted text clipped - 22 lines] > > Chris |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.