 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
MS Access Forum / Security / August 2007How secure is a MDE?
I am finishing work on a database that will be split and I plan on compiling the front-end into a MDE. If, prior to compiling, I disable all of the special keys and the shift key, would it be possible for someone to still get to the linked tables? I also have all of the menus and toolbars shutoff, save one custom toolbar. As it stands now, there is user-level security that limits who can access the database. This is done through the fOSUserName function that I found here. When a user logs on, their network ID is checked against the authorized users. If they are not on the list, a record of the user is made and the database shuts down. For more secure data, like the list of users, a second password is required to open that form. Of course, all that is moot if they can get to the table and make whatever changes. Keeping in mind that no Access database is really secure, could I be reasonably sure that your average office worker is not going to figure out how to get behind the scenes. They won’t be able to use some combination of keys to get to the tables, etc. To answer the potential question: The back-end will most likely be on a SQL server by the time this is rolled out, so I am not as concerned about the actual tables; however, there is a chance that I will need to park the BE on a shared server, which raises all new issues. I’ll cross that bridge when I get to it. Comments/questions PJ Creating an MDE doesn't stop people from getting to the data at all. All that's required is to create an empty database and attempt to import the tables from your MDE. (Actually, you don't even need to create an empty database: you can do it from any ODBC-compliant client, such as Excel or Word)  SignatureDoug Steele, Microsoft Access MVP http://I.Am/DougSteele (no private e-mails, please) >I am finishing work on a database that will be split and I plan on >compiling [quoted text clipped - 33 lines] > > PJ Interesting. I had not considered that. So all one would need to do is create a new database (or use any ODBC-compliant client), import the tables and change their security settings. Password protecting the front-end would do no good because they already can access it. So that begs the question, is there any way to block tables from accessed that way? I really wish I could say that no one would think of that. This is a group that has never used Access before. But I imagine that once some on figures out that a supervisor can see more than they can, the race is on. Thanks! PJ > Creating an MDE doesn't stop people from getting to the data at all. All > that's required is to create an empty database and attempt to import the [quoted text clipped - 39 lines] > > > > PJ >So all one would need to do is create a new database (or use any >ODBC-compliant client), import the tables and change their security settings. > Password protecting the front-end would do no good because they already can >access it. So that begs the question, is there any way to block tables from >accessed that way? You can put security on the tables on the backend. However that is insufficient as anyone can take the backend home with them and attempt to crack it themselves. The only secure(ish) means of data storage is to use SQL Server (or similar) which stores the database on a computer which is behind a lock. SQL Server running on that computer handles all requests to the database file and the users can't get to that database file. (Unless your admins do something incredibly stupid like letting folks have access to C$, the default share name of C drive.) >I really wish I could say that no one would think of that. This is a group >that has never used Access before. But I imagine that once some on figures >out that a supervisor can see more than they can, the race is on. A few minutes searching and that's enough. Tony SignatureTony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ I think that MS Access can be very secure with MDE and password protected MDB file. It all depends on how you create your DB. The way I secure my Access DB is split FE and BE with MDB and/or SQL. On the FE, I only include forms with VBA codes and modules. On the BE, I only include tables and reports. I use ADO to communicate between the FE and BE. On the BE with the MDB file, I setup the password with 20 + characters (including special characters so it will be very hard for anyone to crack). On the MDE file, I put ADO codes with a password to communicate with the BE (MDB file) in a module. On the downside, it will be lots of VBA codes and it will take lots of times to do it. I have not heard anybody crack a module in a MDE file (or I could be wrong). I am wondering what do other people think? >>So all one would need to do is create a new database (or use any >>ODBC-compliant client), import the tables and change their security settings. [quoted text clipped - 21 lines] > >Tony >I think that MS Access can be very secure with MDE and password protected MDB >file. It all depends on how you create your DB. The way I secure my Access >DB is split FE and BE with MDB and/or SQL. On the FE, I only include forms >with VBA codes and modules. On the BE, I only include tables and reports. Just curious. Why not put the reports in the FE? >I use ADO to communicate between the FE and BE. On the BE with the MDB file, I >setup the password with 20 + characters (including special characters so it >will be very hard for anyone to crack). I think here are crackers out there for Access security. Note that I'd suggest breaking up the password and storing chunks of the password in different non contiguous variables, that is mix them up, so someone going through the hex in the FE MDE can't see the phrase. Const Part2 as string = "def' Const Part4 as stirng = "jkl" Const Part3 as string = "ghi" Const Part1 as string = "abc" >I have not heard anybody crack a module in a MDE file (or I could be wrong). MDE to MDB Conversion Service for Microsoft® Access http://www.everythingaccess.com/mdeconversion.htm Converting a Microsoft Access MDE file back into an MDB file. Section 2 at http://www.access.qbuilt.com/html/faq.html Tony SignatureTony Toews, Microsoft Access MVP Please respond only in the newsgroups so that others can read the entire thread of messages. Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/ Tony, I appreciated you pointed me to the "Everythingaccess" site. I guess the MDE file is that secure after all. If anyone could crack a module in a MDE file, then he/she could see a MDB's password. As far as I know, what I described on my previous post was as secure as I can get on Access. >Just curious. Why not put the reports in the FE? I don't put reports in the FE because it has no tables/queries there and reports won't work with ADO, so that is why I put reports/tables/queries on the BE. Also, you suggest that I should break down a password into different pieces but if they (like "EverythingAccess' people") could crack it then it won't be that helpful. They can see all VBA codes except comments. NLD >>I think that MS Access can be very secure with MDE and password protected MDB >>file. It all depends on how you create your DB. The way I secure my Access [quoted text clipped - 28 lines] > >Tony |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.