T
Tom
I wrote a couple of weeks ago and asked a security
question about keeping form being hacked. Thanks to those
who responded - but I have found a different problem
which I don't think should require SQL Server to prevent -
or should it?
Here's what I did. I created a new db using the built in
System.mdw. Then I opened that db using my "secure" mdw
file as a standard user in that mdw. Then I went to
import some tables. I was able to access one of
my "secure" db's (OK so far since the user does have
Open/Read permissions on that db) and I was able to
import those tables including all date into my non-secure
db which had been opened using the secure mdw file.
Essentially that means that any user who has open/run
permissions on the back-end can create their own front
end and import or even link the tables. I realize linking
will not help them if they only have read permissions.
But importing does because they now become the owner in
their new front end.
I read through the SECFAQ but did not find anything
specifically addressing this issue. What I found was
that "Access is secure to a point..."
Did I miss something? Do I have something screwed up in
my permissions? Is it really this easy for any user with
simple open/run permissions to get at any data they want
even if in our secure front ends they would not be able
to?
I hope I am just missing something and I don't have to
spend - who knows how much - to move to SQL Server.
Thanks in advance for your help.
Tom
question about keeping form being hacked. Thanks to those
who responded - but I have found a different problem
which I don't think should require SQL Server to prevent -
or should it?
Here's what I did. I created a new db using the built in
System.mdw. Then I opened that db using my "secure" mdw
file as a standard user in that mdw. Then I went to
import some tables. I was able to access one of
my "secure" db's (OK so far since the user does have
Open/Read permissions on that db) and I was able to
import those tables including all date into my non-secure
db which had been opened using the secure mdw file.
Essentially that means that any user who has open/run
permissions on the back-end can create their own front
end and import or even link the tables. I realize linking
will not help them if they only have read permissions.
But importing does because they now become the owner in
their new front end.
I read through the SECFAQ but did not find anything
specifically addressing this issue. What I found was
that "Access is secure to a point..."
Did I miss something? Do I have something screwed up in
my permissions? Is it really this easy for any user with
simple open/run permissions to get at any data they want
even if in our secure front ends they would not be able
to?
I hope I am just missing something and I don't have to
spend - who knows how much - to move to SQL Server.
Thanks in advance for your help.
Tom