system.mdw/default/secured mdw etc.

Re: system.mdw/default/secured mdw etc.

dXXXfenton@bway .net.invalid (David W. Fenton) wrote:
[color=blue]
> Well, another issue is that Office XP introduces a different
> directory structure, so it's not just about images.[/color]

I'll look forward to that in due course, but as yet we have no plans to
move away from NT4!

Re: system.mdw/default/secured mdw etc.

keith.wilby@Awa yWithYerCrap.co m (Keith Wilby) wrote in
<Xns944D905892E 56keithwilby@10 .15.188.42>:
[color=blue]
>dXXXfenton@bwa y.net.invalid (David W. Fenton) wrote:
>[color=green]
>> Well, another issue is that Office XP introduces a different
>> directory structure, so it's not just about images.[/color]
>
>I'll look forward to that in due course, but as yet we have no
>plans to move away from NT4![/color]

Office XP runs on NT4.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Re: system.mdw/default/secured mdw etc.

Below:

"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote in message
news:3fd6b0df$0 $52882$5a6aecb4 @news.aaisp.net .uk...[color=blue]
> "TC" <a@b.c.d> wrote in message news:1071028750 .993768@teuthos ...
>[color=green]
> > Not quite. They need to know the WID and company name and organization
> > name - period. And the latter two are not hard to guess, or get from[/color][/color]
other[color=blue][color=green]
> > places on the PC. Once they have recreated the workgroup file, they just
> > log-on as the default Admin user (with no password). They need not know[/color]
> any[color=green]
> > user of the previous Admins group. The default Admin user is now a[/color][/color]
member[color=blue]
> of[color=green]
> > the Admins group (in the recreated workgroup file).[/color]
>
> Yes, that's what I meant. David seemed to be saying that the Admins group[/color]
is[color=blue]
> never secure or securable. Seems to me not only is it securable, given[/color]
what[color=blue]
> you've just said, but that is actually may be necessary, because of the
> irrevocable rights.
>
> Assuming you've denied Admin any rights to the database you secure then a
> 'hacker' needs at least 5 bits of info. Company Name, Organisation, WID[/color]
(to[color=blue]
> recreate the mdw) and User Name and PID of at least one user who has admin
> rights. In other words the things you need to re-create the mdw. That[/color]
sounds[color=blue]
> pretty secure to me (within the usual limitations of Access security).[/color]

NO, he does NOT need the username and PID of a user of the old Admins group!
When you recreate the workgroup file (using the correct WID, company &
organization), that file includes a default Admin user, with no password,
who is a member of that (recreated) Admins group. So you can log on[color=blue]
>automatically< , without knowing >any< previous user name or password, as a[/color]
member of the (recreated) ADMINS GROUP.

TC

Re: system.mdw/default/secured mdw etc.


"TC" <a@b.c.d> wrote in message news:1071105560 .25499@teuthos. ..

(snip)
[color=blue]
> So you can log on >automatically< , without knowing >any< previous
> user name or password, as a member of the (recreated) ADMINS GROUP.[/color]


Oops, not sure where the CAPITALS came from.

TC

Re: system.mdw/default/secured mdw etc.

c.grimsby@world net.att.net.inv alid (Chuck Grimsby) wrote in
<c4eftvcevegi3n 6etq14slr3cnqm3 n1f7n@4ax.com>:
[color=blue]
>On Wed, 10 Dec 2003 13:45:09 GMT, dXXXfenton@bway .net.invalid
>(David W. Fenton) wrote:[color=green]
>>c.grimsby@wor ldnet.att.net.i nvalid (Chuck Grimsby) wrote in
>><1otdtvcq0g1i lumkjah8vudboh2 mqnie4d@4ax.com >:[color=darkred]
>>>The SHGetFolderLoca tion API calls return all the folder names
>>>for the user's (as well as common) things like My Documents,
>>>Recycle Bin, Drives, Fonts, Programs, Printers, Net Hood, Recent
>>>Documents, etc. The whole list is pretty long, actually. 50 or
>>>60 items.[/color][/color]
>[color=green][color=darkred]
>>>By using a API call, you don't have to worry about security, or
>>>where the specific key is, etc. And it's also faster (IMHO).[/color][/color]
>[color=green]
>>How do you find the location of a specific Access version with
>>it?[/color]
>
>You can't. Did I say anything to lead you to believe you could do
>that? If so, I apologize. That was certainly not my intent. My
>intent was to say that the SHGetFolderLoca tion is a great API call
>to figure out where all the user's "special" folders are,
>regardless of what machine they are using (which is especially
>helpful in Terminal Server and Citrix environments).[/color]

Ah. I thought the problem was how to find the location of Access.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Re: system.mdw/default/secured mdw etc.

"TC" <a@b.c.d> wrote in message news:1071105560 .25499@teuthos. ..
[color=blue]
> NO, he does NOT need the username and PID of a user of the old Admins[/color]
group![color=blue]
> When you recreate the workgroup file (using the correct WID, company &
> organization), that file includes a default Admin user, with no password,
> who is a member of that (recreated) Admins group. So you can log on[color=green]
> >automatically< , without knowing >any< previous user name or password, as[/color][/color]
a[color=blue]
> member of the (recreated) ADMINS GROUP.[/color]

Of course. Let me get this straight. mydatabase.mdb has been secured with
mywkrgrp.mdw

Which has an admins group, and others. User admin has been moved to the
users group. In the mdb the users group has no rights, therefore neither
does admin.

Somebody 'gets hold' of the WID used to create mywkrgrp.mdw (as well as
company and organization) and creates a new mdw. They don't know any User
PIDs but they 'know' the Admin group PID (because its the same as the WID).
So an Admins group which is identical to the one in the 'real' mdw is
created. They can't recreate any of the orginal members of that group, but a
user Admin is created who is a member of that group, with a blank password.
So has access to everything.

If I've got that right then it doesn't bother me one bit. If in order to
recreate the mdw file you need 3 pieces of information, which a clever
developer could make all hard to guess (presumably you could user
'kj309jds03fild s30dof03' as a company name, instead of the real one) then
that's quite enough security for me, given the context of Access security.
Seems to me the Admins group can be made 'secure'.

Yours, Mike MacSween

Re: system.mdw/default/secured mdw etc.


"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote in message
news:3fd80747$0 $52888$5a6aecb4 @news.aaisp.net .uk...[color=blue]
> "TC" <a@b.c.d> wrote in message news:1071105560 .25499@teuthos. ..
>[color=green]
> > NO, he does NOT need the username and PID of a user of the old Admins[/color]
> group![color=green]
> > When you recreate the workgroup file (using the correct WID, company &
> > organization), that file includes a default Admin user, with no[/color][/color]
password,[color=blue][color=green]
> > who is a member of that (recreated) Admins group. So you can log on[color=darkred]
> > >automatically< , without knowing >any< previous user name or password,[/color][/color][/color]
as[color=blue]
> a[color=green]
> > member of the (recreated) ADMINS GROUP.[/color]
>
> Of course. Let me get this straight. mydatabase.mdb has been secured with
> mywkrgrp.mdw[/color]

Ok.

[color=blue]
> Which has an admins group, and others. User admin has been moved to the
> users group. In the mdb the users group has no rights, therefore neither
> does admin.[/color]

Ok.

[color=blue]
> Somebody 'gets hold' of the WID used to create mywkrgrp.mdw (as well as
> company and organization) and creates a new mdw.[/color]

Ok. The new workgroup file will have an Admins group. That Admins group will
be indistinguishab le (to Jet & Access) from the Admins group of the original
workgroup file. It will have an Admin user with no password. If you log on
as that Admin user (with no password), you will (effectively) be logged on
as a member of the Admins group of the secured database.

[color=blue]
> They don't know any User PIDs...[/color]

They don't need to. The new (default) Admin user gives them whatever they
want.

[color=blue]
> but they 'know' the Admin group PID (because its the same as the WID).[/color]

Not sure what you have in mind there. The Admins group has a SID, but
because of how that is constructed, it will never be equal to any PID, or to
the workgroup WID.

[color=blue]
> So an Admins group which is identical to the one in the 'real' mdw is
> created.[/color]

Yes.

[color=blue]
> They can't recreate any of the orginal members of that group, but a
> user Admin is created who is a member of that group, with a blank[/color]
password.[color=blue]
> So has access to everything.[/color]

Exactly.

[color=blue]
> If I've got that right then it doesn't bother me one bit. If in order to
> recreate the mdw file you need 3 pieces of information, which a clever
> developer could make all hard to guess (presumably you could user
> 'kj309jds03fild s30dof03' as a company name, instead of the real one) then
> that's quite enough security for me, given the context of Access security.
> Seems to me the Admins group can be made 'secure'.[/color]

Exactly. The only problem is when people use the default workgroup file.
That file has a >blank< WID. So anyone who can grab the company &
organization name from the PC (eg. from the registry), can recreate that
workgroup file (with its associated Admins group & default Admin user).

HTH,
TC
[color=blue]
>
> Yours, Mike MacSween
>
>[/color]

Re: system.mdw/default/secured mdw etc.

"TC" <a@b.c.d> wrote in message news:1071196108 .852240@teuthos ...
[color=blue]
> Exactly. The only problem is when people use the default workgroup file.
> That file has a >blank< WID. So anyone who can grab the company &
> organization name from the PC (eg. from the registry), can recreate that
> workgroup file (with its associated Admins group & default Admin user).[/color]

Got ya. But if I HAVE used a real WID and even entered nonsense for the
company and org then at least the workgroup is a secure as we can expect and
Access workgroup system to be?

Cheers, Mike

Re: system.mdw/default/secured mdw etc.

Yes, that is correct.

Cheers,
TC

"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote in message
news:3fd99201$0 $52888$5a6aecb4 @news.aaisp.net .uk...[color=blue]
> "TC" <a@b.c.d> wrote in message news:1071196108 .852240@teuthos ...
>[color=green]
> > Exactly. The only problem is when people use the default workgroup file.
> > That file has a >blank< WID. So anyone who can grab the company &
> > organization name from the PC (eg. from the registry), can recreate that
> > workgroup file (with its associated Admins group & default Admin user).[/color]
>
> Got ya. But if I HAVE used a real WID and even entered nonsense for the
> company and org then at least the workgroup is a secure as we can expect[/color]
and[color=blue]
> Access workgroup system to be?
>
> Cheers, Mike
>
>[/color]

Re: system.mdw/default/secured mdw etc.

"Keith Wilby" <keith.wilby@Aw ayWithYerCrap.c om> wrote in message
[color=blue]
> XCOPY "M:\KeithWilby\ Public\MyGUI.md b" C:\Temp\MyFolde r /I
> "C:\Program Files\Microsoft Office\Office\M SACCESS.EXE"
> "C:\Temp\MyFold er\MyGUI.mdb" /wrkgrp "M:\KeithWilby\ Public\MyWIF.md w"[/color]

That works does it? I can't get a batch file to 'use' a wrkgroup file.

Mike

Re: system.mdw/default/secured mdw etc.

It actually works well -- as long as you include msaccess.exe in the call
rather than just passing the MDB file.


--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.


"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote in message
news:3fdb9ad0$0 $52881$5a6aecb4 @news.aaisp.net .uk...[color=blue]
> "Keith Wilby" <keith.wilby@Aw ayWithYerCrap.c om> wrote in message
>[color=green]
> > XCOPY "M:\KeithWilby\ Public\MyGUI.md b" C:\Temp\MyFolde r /I
> > "C:\Program Files\Microsoft Office\Office\M SACCESS.EXE"
> > "C:\Temp\MyFold er\MyGUI.mdb" /wrkgrp "M:\KeithWilby\ Public\MyWIF.md w"[/color]
>
> That works does it? I can't get a batch file to 'use' a wrkgroup file.
>
> Mike
>
>[/color]