Hi, Bill.
I need some advice re simple steps to secure a MS Access db.
Simple steps? Experienced Access database developers have quite a difficult
time with trying to secure an Access database if they've never done it
before. It's not simple, even on a regular Windows network, let alone with
Web access. For information on User-level Security, please see the Security
FAQ on the following Web page:
http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp
You'll probably want to look at the following Web page for a way to avoid
the hurdle of a user ID and password when connecting to the database after
you've implemented User-level Security:
http://www.jmwild.com/SecureNoLogin.htm
For additional steps, suggestions, links to tutorials and examples related
to the ASP setup, please see the following Web page for links to a number of
previous discussions on this topic:
http://groups.google.com/groups?hl=...cure+ASP+group:*access.*&safe=off&qt_s=Search
This is a pilot site so security doesn't have to be "industrial strength".
So you're saying you won't be disappointed when you struggle for two weeks
to get it right, and find that it takes less than 30 seconds to break through
your wall of security? That's the spirit! You'll learn quite a bit about
database security, Web security, and computer security by doing this execise
if you can successfully implement User-level Security on a database that a
Web page can connect to and do more than just read data.
My web pages are ASP VB developed with Dreamweaver.
How are you going to hide the connection string to the database? That's all
a hacker needs to find out where the Access database file is located, copy
the file, and then open the copy elsewhere and browse through the data at his
leisure. And if the hacker wanted to be malicious, he'd change the data in
his copy of the database, then copy over the original file on your Web server
with his version, compromising your data. In case you think hiding the
connection string is unnecessary, here's a "failed to hide the database
connection string" story that made the news a few years ago,
_Help_Wanted:_Steal_This_Database_:
http://wired.com/news/infostructure/0,1377,57066,00.html
Think hackers won't find your database on the Web? They use popular search
engines to come straight to your door:
http://www.wired.com/news/infostructure/0,1377,57897,00.html
I'm a newbie so any simple advice is welcomed. Keep in mind this is a pilot
site and the production site may be professionally developed.
If you'd had this pilot site professionally developed, the developers would
have told you that they need to build the security framework _before_ they
build the database and the Web site, not add security after the fact. ASP,
IIS, and Access aren't the tools to use if one needs to secure the data.
Perhaps you should keep in mind that this is just a pilot site that doesn't
have security, so don't put anything in the database that you don't want the
users or hackers to see.
HTH.
Gunny
See
http://www.QBuilt.com for all your database needs.
See
http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact info.
- - -
If my answer has helped you, please sign in and answer yes to the question
"Did this post answer your question?" at the bottom of the message, which
adds your question and the answers to the database of answers. Remember that
questions answered the quickest are often from those who have a history of
rewarding the contributors who have taken the time to answer questions
correctly.
