I thought Access DB's can't be made truely secure??

R

Rob R. Ainscough

Can someone correct me if I'm wrong or show me how it can be done without
slowing it down by encrypting every table? The System.mdw has sorta always
been a joke since it can be deleted and anyone can still open up the mdb.

I have the "Password" tool (by Thegrideon Software) also that so far has
been able to "discover" the password of any/all Access mdb's I've come
across. This covers upto Access 2003.

If someone knows how to truely protect an Access mdb please fill me in --
(and be able to distribute the Access mdb without requiring MS Access to
loaded on the client system). I'd certainly like to implement it.

Thanks, Rob.
 
I

Immanuel Sibero

Hi Rob,

The System.mdw has sorta always
been a joke since it can be deleted and anyone can still open up the mdb.

Yes, it can be deleted. When properly secured (there are detailed steps to
do this), unauthorized users would not be able to open the mdb.
I have the "Password" tool (by Thegrideon Software) also that so far has
been able to "discover" the password of any/all Access mdb's I've come
across. This covers upto Access 2003.

That is true. Password crackers exist for many other software.
If someone knows how to truely protect an Access mdb please fill me in --
loaded on the client system). I'd certainly like to implement it.

I guess it depends on what you mean by *truely protect an Access mdb*?
My guess is Access security probably does not satisfy your definition of
*true protection*. Access is a file-based database, meaning all users must
have full access to the folder in which the physical files reside (i.e the
mdb, the mdw, the ldb files). As you have found out, Access uses password
security system that can be cracked. Any determined user can find a way to
crack the password. Heck, if he can't crack the password, he can just copy
the files to a CD, hack away at them, and knock himself out. So, Access
security is pretty basic and rudimentary. If you are concerned with security
you should consider client-server db such as SQL Server. Security is not the
main reason people use Access. I think you're trying to use Access the way
it's not designed for.
(and be able to distribute the Access mdb without requiring MS Access to
loaded on the client system). I'd certainly like to implement it.

Each computer must have either MS Access or Access Runtime to run an Access
database. But then again, you can develop your application in VB and use
Access mdb to avoid the MS-Access/Runtime requirement.


HTH,
Immanuel Sibero
 
R

Rob R. Ainscough

Ok, so there is no change is securing an Access database used in
distribution with VB application -- same as before.

I was just checking, it sounded like some people on this newsgroup feel an
Access database can be made secure in a VB distributed (i.e. no MS access or
access runtime on the client) environment.

Yes, I'm well aware of SQL Server security (ummm...or lack there off) -- not
terribly impressive -- what virus/worm was it that took down MS SQL Servers?
Sorry, had to point out that SQL Server 2000 is certainly not as secure as
many seem to think it is. Lets hope MS SQL Server 2005 is more secure.

On a security side note, MS aren't known to be terribly effective at
implementing security and if you look at how MS implement security compared
to other platforms it is VERY convoluted. To be honest, I'm not seeing MS
coming to terms with security at all, they have successfully over
complicated the task with multiple tiers of security implementation -- ya
know it really shouldn't have to be that difficult both from a developers
stand point and a user's stand point and an IS stand point. At best MS
security is a hodge poge of patches but the cheese is still Swiss -- if ya
know what I mean.
 
I

Immanuel Sibero

Hi Rob,
On a security side note, MS aren't known to be terribly effective at
implementing security and if you look at how MS implement security compared
to other platforms it is VERY convoluted. To be honest, I'm not seeing MS
coming to terms with security at all, they have successfully over
complicated the task with multiple tiers of security implementation -- ya
know it really shouldn't have to be that difficult both from a developers
stand point and a user's stand point and an IS stand point. At best MS
security is a hodge poge of patches but the cheese is still Swiss -- if ya
know what I mean.




I would agree with you on some of the security issues/problems/lapses
related to MS products. But some points below:

- I think many complaints directed to MS regarding security or lack thereof
were not so much because of MS itself as the fact that MS products are
widely used and therefore an easy target. If I was a bad guy wanting to
cause maximum damage, well.. hmmmm.. let's see which one to attack. SQL
Server? or Sybase? From quality standpoint, are other database servers more
secure simply because its security holes are not exposed (since noone
attacks them)?

- You have to also account for the fact everything started with the PC way
back when. The origins of what we now call workstations, servers are PC,
that's right *PERSONAL* computers. The original PC did not have security,
security was simply not part of the design. So a PC is really a wide open
piece of device. We have been trying to secure the PC ever since.

- If you look at the evolution of the internet, another example of a system
that has evolved from something that was designed to be a wide open system.
Web surfing, email etc were openly designed until spyware, viruses, spam
came into being. We have been trying to secure the internet ever since then.


The point of the above is, this is why security is a complicated matter,
this why it's a haphazard, hodge-podge kind of process. You can create a
usable and secure system in two ways:

- start with a wide open system and plug holes so that it becomes secure OR
- start with a closed, shut, secure system and poke holes on it so that it
becomes usable.

We are doing the first one, and it's the harder of the two.



Immanuel Sibero
 
R

Rob R. Ainscough

I understand what you are saying and agree with some of it, but MS has had
the opportunity to address the issue of security -- they hold the keys to
the OS (we don't). Other platforms are actually much more open (Linux) in
terms developers being able to basically tailor make their OS to suit their
needs and yet security is still much easier to implement on those platforms.

But like you say, Microsoft have been doing the x86 PC OS for many many many
years now, you'd think they would be more seasoned at security by now --
wouldn't ya?

We can only hope that Microsoft truely do take security seriously, but right
now I'd say MS is concerned about; #1 Piracy, #2 compatibility, #3 security.
If Microsoft want to grow, they need to repair their security image, trying
to squeeze money out of poor countries that illegally copy software isn't
going to help -- Yes piracy is a problem, but it should NOT be the #1
problem. http://www.bsaa.com.au/downloads/PiracyStudy070704.pdf MS
ultimate revenue growth will NOT come from piracy prevention, it will be
from consumer trust, IT trust, and a proven secure OS and applications
running on the OS.

This is an interesting 3 page article on the subject on how well MS have
done in regards to security
http://www.infoworld.com/article/04/10/08/41FEmssecure_1.html?s=feature
(turn on your popup blocker). Basically says doing better, but not enough
evidence to really compare as IIS6 and SP2 are they are relatively new.

Rob.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top