Just Stumbled upon a MASSIVE security issue... Resolutions?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Dan2kx
    Contributor
    • Oct 2007
    • 365

    Just Stumbled upon a MASSIVE security issue... Resolutions?

    Its me again... and i have a new problem.....

    i am trying to make my holiday database as secure as possible and at the moment i am trying to lock out all startup options and whatnot to restrict access to the DB.(Using a Custom Logon System)

    but it is possible to create a new DB (blank) and import the tables etc from the Holiday DB and then do update queries etc on the original with no authorisation.. .

    so someone could potentially (Quite easily) mess with the DB in any way they want and Most worrying.... delete everything!!!

    is there anyway to Lock this action out!?

    Im quite worried about this now that i have stumbled upon it because if this is the case then my DB will not be a viable project and i will have wasted MANY HOURS of my FREE TIME doing it..

    Please Help...


    Thanks Dan
  • Dököll
    Recognized Expert Top Contributor
    • Nov 2006
    • 2379

    #2
    Originally posted by Dan2kx
    Its me again... and i have a new problem.....

    i am trying to make my holiday database as secure as possible and at the moment i am trying to lock out all startup options and whatnot to restrict access to the DB.

    but it is possible to create a new DB (blank) and import the tables etc from the Holiday DB and then do update queries etc on the original with no authorisation.. .

    so someone could potentially (Quite easily) mess with the DB in any way they want and Most worrying.... delete everything!!!

    is there anyway to Lock this action out!?

    Im quite worried about this now that i have stumbled upon it because if this is the case then my DB will not be a viable project and i will have wasted MANY HOURS of my FREE TIME doing it..

    Please Help...


    Thanks Dan
    Hey Dan!

    Sorry for your troubles, let's see how we can begin pinning it down. Please do stay tuned for other options from our friends here. In fact, I may refer you to a link specific to disabling special keys, and so on, for which I am proud to admit this forum has helped stear it in the right direction.

    First off I think you're on the right track, your startup options will help keep it solid, you can even set up a password for your code to hinder user ability to see code.

    (1) Keep a template of current database
    (3) Hide your database under Window menu (Hide/Unhide option)
    (2) Go under tools, options, uncheck hidden objects in the pop up

    Hopefully you had already right-clicked on forms, tables, queries one by one,
    and selecting properties to check hidden objects option(this enables hidden objects method to interact freely with Option 3 above

    (4) uncheck anything showing in startup, via tools, Startup
    (5) You will want to figure out a way to undo all of the above so you work with things, therefore holding down shit key as database loads aid in viewing your hiden objects and so on

    (6) Add a password to your special keys to demand that user adds a password to enable certain special keys (There's probably a code here on how on to do this part of it)...

    Hope this helps get you going, nonetheless Dan...please stay tuned, and do find that link here for added support if needed:-)

    Almost forgot, you can add a password to hide you VBA code:

    A- right-click on any of your command buttons
    B- scroll down to OnClick event procedure
    C- fire those three little dots in box thingee
    D- Go to tools, YourDatabaseNam e Log properties
    E- Hit Protection tab
    F- Check Lock project for viewing
    G- Add a password

    Save, that normal stuff and fire your forms and attempt to do A-C

    Good luck with project, Dan, I can almost say I know what you're feeling:-)

    In a bit!
    Last edited by Dököll; Jan 21 '08, 11:17 PM. Reason: explaination, and text...

    Comment

    • Dan2kx
      Contributor
      • Oct 2007
      • 365

      #3
      its the fact that the data stored in that database can be imported into another database and action queries can be done on the original that bothers me!!

      i can lock down the database quite well apart from that.

      using the access security features dont suit my needs (in terms of user functionality). ..

      thanks Dan

      Comment

      • jaxjagfan
        Recognized Expert Contributor
        • Dec 2007
        • 254

        #4
        Management should be made aware of your concerns.

        No matter how hard you try to lock an Access Database down - there's a savy user that can do some research and find a way in. I was one of those savy users at one point.

        Sometimes the enduser needs more than he/she is given and tries to get to what they actually want on their own.

        Sometimes the data owner will not give up access to the data the enduser needs and that prompts the enduser to try to get the info they need.

        Accounting Department here is notorius for asking for reports but not giving access to some of their data sources to make reporting easier.

        If someone needs more info or other data elements, find out why and if it is a part of their business process.

        Comment

        • NeoPa
          Recognized Expert Moderator MVP
          • Oct 2006
          • 32636

          #5
          Dan,

          Open your database (the one with the data in) and use Tools / Security / Set Database Password... to set a password for the database as a whole.
          Anyone trying to link to any tables in your database will now need to know this password.

          Let us know if this resolves your issues :)

          Comment

          • Dan2kx
            Contributor
            • Oct 2007
            • 365

            #6
            No that wouldnt work because everyone would need to know the password to use the db
            which defeats the object really!!

            Comment

            • NeoPa
              Recognized Expert Moderator MVP
              • Oct 2006
              • 32636

              #7
              I wasn't aware you'd indicated in any way this is a standalone database. If I'd assumed that then you'd have reason for considering my response unintelligent.
              Even so, I would consider setting it up as a FE / BE system and password protecting the Back-End database. The password is only required for the Front-End database when setting up the links.

              Comment

              • sierra7
                Recognized Expert Contributor
                • Sep 2007
                • 446

                #8
                Developing the last suggestion, the BE can be in a hidden folder on the server, a couple of levels down.

                If the front end is secure even a savvy user would have difficulty knowing where to look.

                We do it to stop people walking off with the databse on a pen-drive!

                S7

                Comment

                • Dan2kx
                  Contributor
                  • Oct 2007
                  • 365

                  #9
                  Would it be easy to split my DB into a front end and a back end at this late stage??

                  i have lots of queries and VB code that might be quite specific...

                  Comment

                  • sierra7
                    Recognized Expert Contributor
                    • Sep 2007
                    • 446

                    #10
                    Originally posted by Dan2kx
                    Would it be easy to split my DB into a front end and a back end at this late stage??

                    i have lots of queries and VB code that might be quite specific...
                    It's a doddle to use the Wizard.

                    On a big database there might be a performance hit if the network is slow.

                    However, spliting the db is a first step should you want to migrate the data to SQLserver or even MySQL. Either of these would also give you better security.

                    S7

                    Comment

                    • Dan2kx
                      Contributor
                      • Oct 2007
                      • 365

                      #11
                      What about all my vb queries and and vb other bits? i would need to change them all to backend db right??

                      Comment

                      • NeoPa
                        Recognized Expert Moderator MVP
                        • Oct 2006
                        • 32636

                        #12
                        Pretty well only the tables need to be in the BE.
                        All the queries, VBA, forms, etc would remain in the FE.

                        Never get rid of the original until you're happy with the results though of course.

                        Comment

                        • Killer42
                          Recognized Expert Expert
                          • Oct 2006
                          • 8429

                          #13
                          Originally posted by NeoPa
                          ... Never get rid of the original until you're happy with the results though of course.
                          I'd go one further and say never get rid of the original. If you need to make a change down the track, better to start with the original, make your changes, then reapply the appropriate security.

                          Comment

                          Working...