Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be handled
via VB.NET and I am not sure about some of the security aspects. I am going
the .NET route as part of the application involves using a Pocket PC and I
don't want part to involve deploying msaccess.exe and so on as well as the
..NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP
queries except when called from an Access form by putting a function in the
query which checks where it is being called from by using CurrentObjectTy pe.
I am looking for something similar to use with VB.NET. However, as far as I
can see, if the VB.NET app calls the RWOP query in the Access database,
there is not much you can do to stop them calling the RWOP query themselves,
e.g. from their own Access database. My question is: How to I stop users
from running queries or accessing tables in the Access back end while still
giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done things
like:
1) Use user-level security.
2) Develop using one MDW file, but not allow users to use this. Instead they
use the default system.mdw. Users, therefore, enter the app as the Admin
user from system.mdw and the app then checks their Windows ID to specify
which parts of the app they can access.
3) Do a proper removal of the Shift bypass stuff so they are forced into
running code that picks up their Windows ID. Either that or ID's are held in
tables and used from there, with the users having to enter an ID and
password to authenticate themselves.
The problem seems to be that if I am using user-level security for the
Access database, VB.NET requires a user ID and password for this that also
requires the existence of - and physical access to - an MDW file with those
details in. This is where the security hole appears to be. As many people
know, if a user has physical access to a .mdw file, there are tools around
that will let them see all groups, ID's and passwords in that .mdw file. I
also know that it is possible for some people to break into a .mdb file even
without the developer's .mdw file, but if people are that desperate to get
into my app, well, they need to get a life. The level of sensitivity of the
data is such that I need "only" to stop people running RWOP queries that
they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name, e.g.
MyPretendName.d ll, and try and hide it somewhere on the user's PC other than
in the application's own folder, in which case I then need to find a way of
deploying it there and I haven't got that far in my understanding of .NET
application deployment to be able to do that. It doesn't appear a very
robust way to do it either.
Any help would be much appreciated. I don't expect this is the first time
anyone has wanted to know the answer to this.
Alan Cossey
PS Using SQL Server or the like is not an option. 2 1998
Freeserve wrote: Not sure whether this is the right group, but I can't find anything in the .NET groups and my apologies if this has already been covered or is considered "off subject".
I am looking at using an Access database to hold data which will be handled via VB.NET and I am not sure about some of the security aspects. I am going the .NET route as part of the application involves using a Pocket PC and I don't want part to involve deploying msaccess.exe and so on as well as the .NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP queries except when called from an Access form by putting a function in the query which checks where it is being called from by using CurrentObjectTy pe. I am looking for something similar to use with VB.NET. However, as far as I can see, if the VB.NET app calls the RWOP query in the Access database, there is not much you can do to stop them calling the RWOP query themselves, e.g. from their own Access database. My question is: How to I stop users from running queries or accessing tables in the Access back end while still giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done things like:
1) Use user-level security. 2) Develop using one MDW file, but not allow users to use this. Instead they use the default system.mdw. Users, therefore, enter the app as the Admin user from system.mdw and the app then checks their Windows ID to specify which parts of the app they can access. 3) Do a proper removal of the Shift bypass stuff so they are forced into running code that picks up their Windows ID. Either that or ID's are held in tables and used from there, with the users having to enter an ID and password to authenticate themselves.
The problem seems to be that if I am using user-level security for the Access database, VB.NET requires a user ID and password for this that also requires the existence of - and physical access to - an MDW file with those details in. This is where the security hole appears to be. As many people know, if a user has physical access to a .mdw file, there are tools around that will let them see all groups, ID's and passwords in that .mdw file. I also know that it is possible for some people to break into a .mdb file even without the developer's .mdw file, but if people are that desperate to get into my app, well, they need to get a life. The level of sensitivity of the data is such that I need "only" to stop people running RWOP queries that they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name, e.g. MyPretendName.d ll, and try and hide it somewhere on the user's PC other than in the application's own folder, in which case I then need to find a way of deploying it there and I haven't got that far in my understanding of .NET application deployment to be able to do that. It doesn't appear a very robust way to do it either.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Why not use SQL Server CE ("the compact database"). See this URL: http://www.microsoft.com/sql/CE/default.asp
The .NET newsgroups are on Microsoft news servers:
microsoft.publi c.dotnet.langua ges.csharp
microsoft.publi c.dotnet.langua ges.vb (not sure)
--
MGFoster:::mgf0 0 <at> earthlink <decimal-point> net
Oakland, CA (USA)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBQIW90YechKq OuFEgEQLbWgCg9T 1HUPU1yQPHAUn1q PaE6I1CNAMAn1MW
oZRu2yzCTMazXFP UEQU4TXLn
=WDbC
-----END PGP SIGNATURE-----
"MGFoster" <me@privacy.com > wrote in message
news:g5******** *********@newsr ead1.news.pas.e arthlink.net... Freeserve wrote:
Not sure whether this is the right group, but I can't find anything in
the .NET groups and my apologies if this has already been covered or is considered "off subject".
I am looking at using an Access database to hold data which will be
handled via VB.NET and I am not sure about some of the security aspects. I am
going the .NET route as part of the application involves using a Pocket PC and
I don't want part to involve deploying msaccess.exe and so on as well as
the .NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP queries except when called from an Access form by putting a function in
the query which checks where it is being called from by using
CurrentObjectTy pe. I am looking for something similar to use with VB.NET. However, as far
as I can see, if the VB.NET app calls the RWOP query in the Access database, there is not much you can do to stop them calling the RWOP query
themselves, e.g. from their own Access database. My question is: How to I stop users from running queries or accessing tables in the Access back end while
still giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done
things like:
1) Use user-level security. 2) Develop using one MDW file, but not allow users to use this. Instead
they use the default system.mdw. Users, therefore, enter the app as the Admin user from system.mdw and the app then checks their Windows ID to specify which parts of the app they can access. 3) Do a proper removal of the Shift bypass stuff so they are forced into running code that picks up their Windows ID. Either that or ID's are
held in tables and used from there, with the users having to enter an ID and password to authenticate themselves.
The problem seems to be that if I am using user-level security for the Access database, VB.NET requires a user ID and password for this that
also requires the existence of - and physical access to - an MDW file with
those details in. This is where the security hole appears to be. As many
people know, if a user has physical access to a .mdw file, there are tools
around that will let them see all groups, ID's and passwords in that .mdw file.
I also know that it is possible for some people to break into a .mdb file
even without the developer's .mdw file, but if people are that desperate to
get into my app, well, they need to get a life. The level of sensitivity of
the data is such that I need "only" to stop people running RWOP queries that they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name,
e.g. MyPretendName.d ll, and try and hide it somewhere on the user's PC other
than in the application's own folder, in which case I then need to find a way
of deploying it there and I haven't got that far in my understanding of
..NET application deployment to be able to do that. It doesn't appear a very robust way to do it either.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Why not use SQL Server CE ("the compact database"). See this URL:
http://www.microsoft.com/sql/CE/default.asp
The .NET newsgroups are on Microsoft news servers:
microsoft.publi c.dotnet.langua ges.csharp microsoft.publi c.dotnet.langua ges.vb (not sure)
-- MGFoster:::mgf0 0 <at> earthlink <decimal-point> net Oakland, CA (USA)
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv
iQA/AwUBQIW90YechKq OuFEgEQLbWgCg9T 1HUPU1yQPHAUn1q PaE6I1CNAMAn1MW oZRu2yzCTMazXFP UEQU4TXLn =WDbC -----END PGP SIGNATURE-----
Thanks for replying. As far as I am aware SQL Server CE only works on
devices running the .NET Compact Framework and, though my app will include
this and I may well use SQLSCE for that part, I want to use Jet/Access to
store data on the PC for various reasons, rather than use SQL Server / MSDE
2000.
Alan This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data and some who couldn't but that it wasn't important right now.
And I said, 'sure, we can do that later'.
So now I've developed an app without any thought to security and am trying
to apply it afterwards. Doh!, doh! and triple doh!
|
by: Freeserve |
last post by:
Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be handled
via VB.NET and I am not sure about some of the security aspects. I am going
the .NET route as part of the application involves using a Pocket PC and I
don't want part to involve deploying...
|
by: robert demo via AccessMonster.com |
last post by:
I've done all the recommended things with workgroup security, creating a
..mde file, and splitting the application into a front end and, in my case,
multiple backends.
The problem is that users that have access to the application (thru the
custom workgroup file) can import the tables into a blank database.
My application has no queries and uses SQL statements in the VBA code to
read/update table information. I have hundreds of SQL...
|
by: christopher_mouse |
last post by:
I have a split Access 97 database that I've been asked to secure. The
data is sensitive and users include programmers who are routinely
accessing the data directly, so I plan to remove all permissions from
the tables in the backend and then create RWOP queries to retrieve all
the fields in the tables so users are limited to the column/row access
that I design in these queries.
I also plan to remove permissions for users to create new...
|
by: Mike MacSween |
last post by:
Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can do damage. I only want them to access the app through my forms.
So I deny them access rights (talking Access, not NT) to the back end data
tables. Then I use RWOP queries in the forms. This is a standard technique,
no?
| |
by: TechBoy |
last post by:
Re:Access 2002
If I base my form on an RWOP query, can I dynamically select from an
RWOP query result set to display on the form? Does someone have an
example?
Thanks.
|
by: DFS |
last post by:
Architecture: Access 2003 client, Oracle 9i repository, no Access security
in place, ODBC linked tables.
100 or so users, in 3 or 4 groups (Oracle roles actually): Admins, Updaters
and ReadOnly. Each group sees a different set of menu options when they
open the client and login to Oracle.
For the sake of speed I use pass-through queries here and there for updates
and deletes. I update their SQL property in code and execute them.
|
by: google |
last post by:
I am creating a new database for use within our company, that I'd like
to make reasonably secure (short of a true server based solution). The
back-end of a non-server based database seems to be the biggest
security hole, due to the ease of opening, linking, and/or importing
raw data directly from the back-end database. I've read information
that indicates that locking down the back-end tables to the owner, then
using RWOP queries in the...
|
by: zwasdl |
last post by:
Some of my queries take 1 hour to run, can I run other queries in
access while waiting on the first query? If so, how can I do it?
Thanks a lot,
Wei
|
by: Max Vit |
last post by:
I have deployed few Access apps splitting it in Front End and Back
End. Our environment uses Win XP SP2 for clients, Win 2k3 for servers
and Access 2003. The max. number of clients is about 50 (concurrent
users is estimated around 10).
Whilst the Back End always lives on a server, I am not quite clear
where the Front End should live.
I have searched the web and find contradicting views.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |