Question about security and passwords

  • Thread starter Thread starter Savvoulidis Iordanis
  • Start date Start date
S

Savvoulidis Iordanis

I have finally developed my own restricted user administration form, to
handle users/passwords.

I have created three groups, grpAdmins for me, with full rights to the DB. I
do not use the default Admins/Users groups at all, I removed every
permission off them. I also created grpAppUsers for the ordinary users and
grpAppAdmins for everyday admin (althrough restricted, but with admin
rights) tasks

I noted the following thing:
When I log in as a member of the grpDeveloper group, I can change the
password of any other user, without supplying the old password. Is this
correct? It sure is done fine (I logged on using the new password).
Now when I log on as an ordinary user (grpAppUsers) I can change the
password of the logged on user, only if supply the old password, which is
the correct behavior to me.
Is sth wrong in this scenario or not?

TIA
 
Savvoulidis said:
I have finally developed my own restricted user administration form,
to handle users/passwords.

I have created three groups, grpAdmins for me, with full rights to
the DB. I do not use the default Admins/Users groups at all, I
removed every permission off them.
Click to expand...

Did you also remove permissions for the Admin user, and more importantly are
you certain that the Admin user owns nothing?
I also created grpAppUsers for the
ordinary users and grpAppAdmins for everyday admin (althrough
restricted, but with admin rights) tasks

I noted the following thing:
When I log in as a member of the grpDeveloper group,
Click to expand...

What is this group? It sounds as though it has administer permission.
I can change the
password of any other user, without supplying the old password. Is
this correct? It sure is done fine (I logged on using the new
password).
Click to expand...

You should not be able to change a password without supplying the old one
(regardless of who is doing it). A user with administer permission can
reset it to blank, but can't change it to something else without supplying
the old password.
 
Sorry, probably as I was editing this post, something got lost...so I
rephrase

I have 3 groups, grpDeveloper (for me, with ALL rights to the DB and
objects), grpAppAdmins (for the customer's admin users (only for those tasks
that they must do) and grpAppUsers (for everybody else).

In my users admin form, an ordinary user can change his own password only,
by providing his previous password. This works OK. If a user from the
grpDeveloper group in logged on, then he can change an ordinary user's
password, without providing the old one (which is my question. Is this
true?). The simple user's password is changed with whatever I type in the
old password field.

If you are interested I can post my form in a small .mdb for everybody to
check it out.

TIA
 
I'd like to state here that the program is divided into MDE/MDB on the
network.

Also, I checked out that the default Users and Admins groups, have NO
permission on ALL objects and the DB. My grpDeveloper group, has every
permission on all objects and also, Open/Run, Exclusive and Administer
rights on DB. The grpAdmins group has Open/Run, Exlusive and Administer
rights on the client program (another question here...should the customers
in the grpAppAdmins group have administer rights to change passwords, or
this can be done another way?)
The grpAppUsers only have Open/Run permission on the DB and the correct
permissions on other objects (tables, forms...)

All permissions are assigned through the groups. No single user has any
private permissions, including the developers.
 
Savvoulidis said:
Sorry, probably as I was editing this post, something got lost...so I
rephrase

I have 3 groups, grpDeveloper (for me, with ALL rights to the DB and
objects), grpAppAdmins (for the customer's admin users (only for
those tasks that they must do) and grpAppUsers (for everybody else).

In my users admin form, an ordinary user can change his own password
only, by providing his previous password. This works OK. If a user
from the grpDeveloper group in logged on, then he can change an
ordinary user's password, without providing the old one (which is my
question. Is this true?). The simple user's password is changed with
whatever I type in the old password field.
Click to expand...

True. Because you are doing so as a user that's a member of the Admins
Group, or you are the owner of the database. See section 5 of the security
FAQ.
Security FAQ
http://support.microsoft.com/?id=207793
If you are interested I can post my form in a small .mdb for
everybody to check it out.
Click to expand...

Please don't post attachments to the newsgroup.
 
Savvoulidis said:
I'd like to state here that the program is divided into MDE/MDB on the
network.

Also, I checked out that the default Users and Admins groups, have NO
permission on ALL objects and the DB.
Click to expand...

What about the Admin user? Ensure particularly that they don't own the
database object. It wasn't necessary to remove permissions for the Admins
Group, but no harm.
My grpDeveloper group, has every
permission on all objects and also, Open/Run, Exclusive and Administer
rights on DB. The grpAdmins group has Open/Run, Exlusive and
Administer rights on the client program (another question
here...should the customers in the grpAppAdmins group have administer
rights to change passwords, or this can be done another way?)
Click to expand...

You could create a separate mdw for deployment, vs the one you secured it
with. They would then just need to be a member of the Admins group in the
deployment mdw to reset passwords, create/delete users. Details are in
section 33 of the security FAQ.
 
The only user in the default Users group is the default Admin user, with no
permissions at all.
Also, Users/Admins groups have no permissions at all. No users belong in the
default Admins group.

Is it necessary to use the default Admins group? I don't. Can't I exclude it
from any action, and instead use my own groups, as I do in this case
(grpDeveloper, grpAppAdmins, grpAppUsers) ?
 
Savvoulidis said:
The only user in the default Users group is the default Admin user,
with no permissions at all.
Click to expand...

Well that can't be. Every user is a member of the Users Group,you can't
change that. That's why the Users Group gets no permissions.
Also, Users/Admins groups have no permissions at all. No users belong
in the default Admins group.

Is it necessary to use the default Admins group? I don't. Can't I
exclude it from any action, and instead use my own groups, as I do in
this case (grpDeveloper, grpAppAdmins, grpAppUsers) ?
Click to expand...

You don't have to use the default Admins group, no. What you've done is
fine.
 
I've read in the help file, thatin order to use NewPassword on a certain
user, you either have to be the in the Admins group, or be that user
himself. What if I need to have site admins (like grpAppAdmins in my case)
and the default Admins group is not used at all? I noticed that although
the user in grpAppAdmins has Administer/Run/Modify permissions, he can't use
the NewPassword on another user in the grpAppUsers group. Only the owner of
the database (grpDeveloper) is able to change anybody's password, or that
user himself.
What I want is, the site's admin users (in grpAppAdmins) to handle the
creation of the users/passwords

TIA
 
Savvoulidis said:
What I want is, the site's admin users (in grpAppAdmins) to handle the
creation of the users/passwords
Click to expand...

They need to be a member of the Admins group. You can/should ship a
different mdw for production use than the one you used to secure it with.
See section 33 of the security FAQ "I want to create a remote site
administrator to be able to administer the database and add user accounts
but not alter permissions on the database objects"
http://support.microsoft.com/?id=207793
 
Back
Top