P
Pierre Doré
I am responsible for migrating a dozen MS ACCESS 2002 applications to MS
ACCESS 2007. After successfully migrating them all, I stubbled by accident
on a security glitch. All these apps uses User Level Security (ULS), and for
each database a seperate .mdw file is used as well. We use the FE & BE
approach as well, were the BE & .mdw file are located on a network server. A
shortcut file is used for all of them as well, defining the location of
database as well the mdw file to use against it. Here's the problem. If I
try accessing the database directly, on a development server, I get in on 4
of them, no questions asked. Using the "SysCmd(acSysCmdGetWorkgroupFile)"
within the VB Editor, I find it surprising that it now uses the default
system.mdw file. But the same database in version 2002(Prodution), it will
not let me in. Furthermore, if I rename the system.mdw file and try to
access the database directly, it recreates the default mdw file. I have to
use the "RunCommand acCmdWorkgroupAdminstrator" in the VB Editor in order to
join to the appropriate mdw file. My concern is that someone can simply
rename the mdw file located on the network, and then they have full access to
the database. Our only option is to change the attribute of the mdw file to
hidden. Is this a bug or is their a patch out there that I can use to fix
this problem? We have downloaded the SP1 patch as well.
ACCESS 2007. After successfully migrating them all, I stubbled by accident
on a security glitch. All these apps uses User Level Security (ULS), and for
each database a seperate .mdw file is used as well. We use the FE & BE
approach as well, were the BE & .mdw file are located on a network server. A
shortcut file is used for all of them as well, defining the location of
database as well the mdw file to use against it. Here's the problem. If I
try accessing the database directly, on a development server, I get in on 4
of them, no questions asked. Using the "SysCmd(acSysCmdGetWorkgroupFile)"
within the VB Editor, I find it surprising that it now uses the default
system.mdw file. But the same database in version 2002(Prodution), it will
not let me in. Furthermore, if I rename the system.mdw file and try to
access the database directly, it recreates the default mdw file. I have to
use the "RunCommand acCmdWorkgroupAdminstrator" in the VB Editor in order to
join to the appropriate mdw file. My concern is that someone can simply
rename the mdw file located on the network, and then they have full access to
the database. Our only option is to change the attribute of the mdw file to
hidden. Is this a bug or is their a patch out there that I can use to fix
this problem? We have downloaded the SP1 patch as well.