How secure is Access 2007

  • Thread starter Thread starter Arejan
  • Start date Start date
A

Arejan

previous versions of Ms Access is not secure .

Is it still the same ?

if not

how to upgrade and secure an .mdb in Access 2007.
 
There is no user-level security in Access 2007 (at least, not in the new
database format: you can still use it if you continue to use the MDB format,
but it's no different than before).
 
I am Intending to distribute the access file along with the application

so

is it still possible to retrive the password by using tools like
Accesspassword recovery as

in older versions ?

(which leaves a critical security hole
even if access security /windows is configured .
giving the only option to switch to other RDBMS.)
 
Arejan said:
I am Intending to distribute the access file along with the
application

so

is it still possible to retrive the password by using tools like
Accesspassword recovery as

in older versions ?

(which leaves a critical security hole
even if access security /windows is configured .
giving the only option to switch to other RDBMS.)
Click to expand...

To secure data from non-users use network permissions on the file or folder.

To secure data from USERS don't store it in an Access file.
 
Keith Wilby said:
And your point is ... ?
Click to expand...

Presumably he/she didn't understand Rick's point that you can't successfully
protect data in an MDB/MDE file.
 
Douglas J. Steele said:
Presumably he/she didn't understand Rick's point that you can't
successfully protect data in an MDB/MDE file.
Click to expand...
Doug and friends,
A gentleman called Brent Spaulding and I had a long discussion on this
over at UtterAccess.com and came up with what we think is a decent way
of securing data from users in Access 2007 files (as in accdb/e files,
not mdb/e files). However, despite the thread being viewed over 3000
times, only one other person tried it out :-(.

I would be most interested in you opinion if you had the chance to
have a look. I summarised the discussion in a PDF file which you can
get at http://www.pdtltd.co.uk/pdtl/technicalresources.htm.

Alan Cossey
 
Hi Alan,

I saved that thread on UA in my Favorites a long time ago for future reading. I'm too busy right now
with my current project to fully test your findings, but as soon as my time is available again, I'm
very interested in trying this out. I'm quite curious myself to see this process.

I'll personally try and get back with you when the time comes.
--
Jeff Conrad
Access Junkie - MVP
http://home.bendbroadband.com/conradsystems/accessjunkie.html
Access 2007 Info: http://www.AccessJunkie.com

in message:
 
Doug and friends,
A gentleman called Brent Spaulding and I had a long discussion on this
over at UtterAccess.com and came up with what we think is a decent way of
securing data from users in Access 2007 files (as in accdb/e files, not
mdb/e files). However, despite the thread being viewed over 3000 times,
only one other person tried it out :-(.

I would be most interested in you opinion if you had the chance to have a
look. I summarised the discussion in a PDF file which you can get at
http://www.pdtltd.co.uk/pdtl/technicalresources.htm.
Click to expand...

Alan,

I did a quick scan of the PDF and it looks very interesting. I'm wondering,
at first glance, if a hacker can mine the mid-tier database password from
the FE and, then, open the mid-tier database and mine the backend database
password. I haven't used 2007 at all yet, so can't test it out, but will do
so as soon as I have a machine with 2007 on it.
 
Hi Lynn,
There are three possible weaknesses with vPPC (when used with an
Access back end) that I know of. These are:

1) Ability to get at the data via Automation if the hacker knows the
location of the back end. An example of this might be where a form is
open in the Access front end and a user uses VBA from another
application, e.g. Excel. If they use GetObject to hook into the
already open Access application, they can use this to
read/modify/delete data in the back end if they know where that back
end is. If they know or can guess the names of the tables in the back
end, they can do this quickly; if they don't, they could find out the
names from one of the system tables. However, if the back end location
is not known to the hacker, I don't know of any way of getting at the
data using "normal" methods such as using VB/VBA. Note that if the
back end is a server database such as SQL Server, it appears to be
free from this weakness.

Having said all the above, I can't remember how I hacked into a back
end. It is a while since I did it and didn't keep my code. Will try
again later. I wonder whether I had got some linked tables in my front
end at the time and was looking at those....

2) "Mining" the mid-tier database password from the front end. In my
example, I just set up that password in the declarations section of a
module. It may be that if the front end is encrypted that this will
stop people from getting to it from some tool outside Access. If the
encryption method is all it is cracked up to be (pun intended) and you
make the front end into a .accde file, maybe this is sufficient. If
not, obfuscating it may be the only means of hiding it, e.g. creating
on the fly with some really obscurely written code.

3) One of these sniffer thingies that can read network traffic and
which can pick out the database password as it whizzes across the
network. If there is a possibility of this happening, then we are in
trouble (as are SQL Server junkies using SQL Server authentication?).

Alan
 
Hi Lynn,
Sorry about the top posting. Slipped into it without thinking. Will
try harder next time.

The sort of code referred to in 1) below is as follows (once you have
set references to the Microsoft Access 12.0 Object Library and
Microsoft Office 12.0 Access Database Engine Object Library where
C:\test\fe.accdb (or .accde) is the front end and C:\test\data.accdb
is the back end. This works if fe.accdb has a form open.

Public Sub HackQuery()
Dim app As Access.Application
Dim rst As DAO.Recordset
Dim db As DAO.Database

Set app = GetObject("C:\test\fe.accdb")
Set db = app.CurrentDb
Set rst = db.OpenRecordset("Select tblNames.* from tblNames in
'C:\test\data.accdb'")

rst.Edit
rst(2) = "Wiseman"
rst.Update

rst.Close
Set rst = Nothing
Set db = Nothing
Set app = Nothing
End Sub


Alan
 
Hi Alan,
Worry thou not. I'm neither an advocate of top posting or bottom posting.
I'll take it either way I can get it. Thanks for the additional information.
Hopefully, I'll have A2007 installed somewhere soon so that I can check all
this out. I've been somewhat concerned with the absence of ULS in 2007.
 
Douglas J. Steele said:
Presumably he/she didn't understand Rick's point that you can't
successfully protect data in an MDB/MDE file.
Click to expand...

That's true of any file. If someone wants data and they know enough and try
hard enough, they will get it, assuming that they don't get caught trying
first. But that is relative. It is easier with Access than Oracle, or
SQL-Server, but not impossible with either. Data stolen from ChoicePoint and
credit card processors have proven that. Once data can be stored locally, it
is not secure at all. Laptops stolen from Wells Fargo, the VA, and many
other sources proved that this year.
 
That's true of any file. If someone wants data and they know
enough and try hard enough, they will get it, assuming that they
don't get caught trying first. But that is relative. It is easier
with Access than Oracle, or SQL-Server, but not impossible with
either. Data stolen from ChoicePoint and credit card processors
have proven that. Once data can be stored locally, it is not
secure at all. Laptops stolen from Wells Fargo, the VA, and many
other sources proved that this year.
Click to expand...

The biggest security vulnerability in any organization comes from
the fact that you have to give your legitimate users permission to
use and edit the data. Hacking is really the least of your worries.
 
Alan Cossey said:
Doug and friends,
A gentleman called Brent Spaulding and I had a long discussion on this
over at UtterAccess.com and came up with what we think is a decent way of
securing data from users in Access 2007 files (as in accdb/e files, not
mdb/e files). However, despite the thread being viewed over 3000 times,
only one other person tried it out :-(.

I would be most interested in you opinion if you had the chance to have a
look. I summarised the discussion in a PDF file which you can get at
http://www.pdtltd.co.uk/pdtl/technicalresources.htm.
Click to expand...

Hi Alan.

I must admit that my interest in A2007 has been nil up until now since ULS
isn't supported in the new format but reading your paper has now given me a
reason to download the beta and have a play. Thanks.

Regards,
Keith.
www.keithwilby.com
 
Back
Top