There is an MS-SQL table named Bugs_Comments_a nd_Suggestions.
There is a form named Bugs_Comments_a nd_Suggestions.
To allow John Doe to use this form, we GRANT him LOGIN and ACCESS permissions
to the db and SELECT permissions on the stored procedure which is the record
source for the BOUND form.
To allow John Doe to "UPDATE, INSERT, DELETE" using the BOUND form, we GRANT
John Doe "UPDATE, INSERT, DELETE" permissions on the table,
Bugs_Comments_a nd_Suggestions.
Our application enters some unique identifier for John Doe into the table,
Bugs_Comments_a nd_Suggestions, when he INSERTS a new record, and limits him
to UPDATING and DELETING records with that unique identifier, that is records
which he has created.
SO far so good, but John Doe decides he like Access and one day, when he has
a little time on his hand he decides to create his own ADP. He chooses the
option "Project, Existing Data"; a dialog box appears and he finds that the
MS-SQL server in which the table, Bugs_Comments_a nd_Suggestions lives is
listed. He chooses that. He chooses Windows Integrated Security, or uses the
SQL logon and the password he has for the application already described. He
finds a list box of Databases and chooses, again, the one where the table,
Bugs_Comments_a nd_Suggestions, lives. Then he clicks O.K. and up pops the
database window with the tables, including table,
Bugs_Comments_a nd_Suggestions. He double clicks on this table and it opens in
datasheet view.
We gave him "UPDATE, INSERT, DELETE" on this table and restricted his access
in the application itself.
But now John is in another application. The MS-SQL database does not know
this; it knows only that John has "UPDATE, INSERT, DELETE" permissions on the
table. John chooses one of Jane Doe's Suggestions and edits it to say
something extremely rude about the Department Head.
He then closes and deletes his little ADP.
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms and
their inherent vulnerability?
Yes, I know I could make a table for every John Doe, but multiply the number
of John Does by the number of required tables and one gets quite a large
number of tables, (about 10500 in the application which has prompted me to
write this), and specific permissions to be granted.
And of course, I am not so much worried about one table; many tables could
have this vulnerability.
Well, I'm going to read Robert Vieira's (WROX Professional SQL Server 2000
Programming) chapter on Security now, and I hope that I find that my thinking
is in error, and that I don't have to change my approach on security, or stop
using BOUND forms.
Or maybe someone here will explain how to deal with the problem I have
outlined.
--
Lyle
--
use iso date format: yyyy-mm-dd http://www.w3.org/QA/Tips/iso-date
--
The e-mail address isn't, but you could use it to find one. 16  2193 
"Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn******** ***********@130 .133.1.4...
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms
and their inherent vulnerability?
AFAIK your interpretation is correct - if you want a user to be able to
update records via a continuous form they need UPDATE permissions on the
underlying table. You could put a trigger on the table to audit who actually
did the update but other than that I don't think there's much else you can
do. The alternative is to use bound forms for vewing only and do all updates
with stored procedures. With very few exceptions that's basically what we
do.
On Tue, 3 Aug 2004 12:00:14 -0400, "John Winterbottom" <as******@hotma il.com>
wrote: "Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn******* ************@13 0.133.1.4...
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms
and their inherent vulnerability?
AFAIK your interpretation is correct - if you want a user to be able to
update records via a continuous form they need UPDATE permissions on the
underlying table. You could put a trigger on the table to audit who actually
did the update but other than that I don't think there's much else you can
do. The alternative is to use bound forms for vewing only and do all updates
with stored procedures. With very few exceptions that's basically what we
do.
Actually, it's quite possible to have the trigger raise an error and roll back
the action if the user doing the update is not the same as the user indicated
in the record. ADPs are designed to move security to the back-end, so that's
where you have to do it. Fortunately, it's usually doable.
"Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn******** ***********@130 .133.1.4... There is an MS-SQL table named Bugs_Comments_a nd_Suggestions.
There is a form named Bugs_Comments_a nd_Suggestions.
To allow John Doe to use this form, we GRANT him LOGIN and ACCESS
permissions to the db and SELECT permissions on the stored procedure which is the
record source for the BOUND form.
To allow John Doe to "UPDATE, INSERT, DELETE" using the BOUND form, we
GRANT John Doe "UPDATE, INSERT, DELETE" permissions on the table,
Bugs_Comments_a nd_Suggestions.
Our application enters some unique identifier for John Doe into the table,
Bugs_Comments_a nd_Suggestions, when he INSERTS a new record, and limits
him to UPDATING and DELETING records with that unique identifier, that is
records which he has created.
SO far so good, but John Doe decides he like Access and one day, when he
has a little time on his hand he decides to create his own ADP. He chooses the
option "Project, Existing Data"; a dialog box appears and he finds that
the MS-SQL server in which the table, Bugs_Comments_a nd_Suggestions lives is
listed. He chooses that. He chooses Windows Integrated Security, or uses
the SQL logon and the password he has for the application already described.
He finds a list box of Databases and chooses, again, the one where the table,
Bugs_Comments_a nd_Suggestions, lives. Then he clicks O.K. and up pops the
database window with the tables, including table,
Bugs_Comments_a nd_Suggestions. He double clicks on this table and it opens
in datasheet view.
We gave him "UPDATE, INSERT, DELETE" on this table and restricted his
access in the application itself.
But now John is in another application. The MS-SQL database does not know
this; it knows only that John has "UPDATE, INSERT, DELETE" permissions on
the table. John chooses one of Jane Doe's Suggestions and edits it to say
something extremely rude about the Department Head.
He then closes and deletes his little ADP.
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms
and their inherent vulnerability?
Yes, I know I could make a table for every John Doe, but multiply the
number of John Does by the number of required tables and one gets quite a large
number of tables, (about 10500 in the application which has prompted me to
write this), and specific permissions to be granted.
And of course, I am not so much worried about one table; many tables could
have this vulnerability.
Well, I'm going to read Robert Vieira's (WROX Professional SQL Server 2000
Programming) chapter on Security now, and I hope that I find that my
thinking is in error, and that I don't have to change my approach on security, or
stop using BOUND forms.
Or maybe someone here will explain how to deal with the problem I have
outlined.
--
Lyle
You could reinstate Jane Doe's contract, but you're probably better off
without her because it's just a matter of time before she sues you.
"John Winterbottom" <as******@hotma il.com> wrote in
news:2n******** ****@uni-berlin.de: "Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn******** ***********@130 .133.1.4...
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms
and their inherent vulnerability?
AFAIK your interpretation is correct - if you want a user to be able to
update records via a continuous form they need UPDATE permissions on the
underlying table. You could put a trigger on the table to audit who
actually did the update but other than that I don't think there's much
else you can do. The alternative is to use bound forms for vewing only
and do all updates with stored procedures. With very few exceptions
that's basically what we do.
Thanks, John. I find this quite troubling. If we are editing using stored
procedures, (rather than bound forms), then the user could see and run
those procedures from another ADP. I'm wondering how likely it is that he
could or would then do something foolish or deliberately destructive.
--
Lyle
--
use iso date format: yyyy-mm-dd http://www.w3.org/QA/Tips/iso-date
--
The e-mail address isn't, but you could use it to find one.
Steve Jorgensen <no****@nospam. nospam> wrote in
news:iq******** *************** *********@4ax.c om: On Tue, 3 Aug 2004 12:00:14 -0400, "John Winterbottom"
<as******@hotma il.com> wrote:
"Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn****** *************@1 30.133.1.4...
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND
forms
and their inherent vulnerability?
AFAIK your interpretation is correct - if you want a user to be able to
update records via a continuous form they need UPDATE permissions on the
underlying table. You could put a trigger on the table to audit who
actually did the update but other than that I don't think there's much
else you can do. The alternative is to use bound forms for vewing only
and do all updates with stored procedures. With very few exceptions
that's basically what we do.
Actually, it's quite possible to have the trigger raise an error and
roll back the action if the user doing the update is not the same as the
user indicated in the record. ADPs are designed to move security to the
back-end, so that's where you have to do it. Fortunately, it's usually
doable.
But from the new ADP, the user could create a new record using whatver
identity he wanted?
I guess I'll study the trigger solution a bit more intensely, regardless.
--
Lyle
--
use iso date format: yyyy-mm-dd http://www.w3.org/QA/Tips/iso-date
--
The e-mail address isn't, but you could use it to find one.
"Steve Jorgensen" <no****@nospam. nospam> wrote in message
news:iq******** *************** *********@4ax.c om... On Tue, 3 Aug 2004 12:00:14 -0400, "John Winterbottom"
<as******@hotma il.com> wrote:
"Lyle Fairfield" <Lo******@FFDBA .Com> wrote in message
news:Xn******* ************@13 0.133.1.4...
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND formsand their inherent vulnerability?
AFAIK your interpretation is correct - if you want a user to be able to
update records via a continuous form they need UPDATE permissions on the
underlying table. You could put a trigger on the table to audit who
actuallydid the update but other than that I don't think there's much else you
cando. The alternative is to use bound forms for vewing only and do all
updateswith stored procedures. With very few exceptions that's basically what we
do.
Actually, it's quite possible to have the trigger raise an error and roll
back the action if the user doing the update is not the same as the user
indicated in the record.
Yes that's another option, but it adds a lot of complexity. And it means you
need a user column in every table. Better to rely on sql server permissions
and use stored procedures exclusively for updating data IMO.
Also, just my personal preference, but I try to avoid triggers for enforcing
business rules and especially for enforcing security. I've found they're not
very "visible" and you can end up forgetting about them - I have spent many
hours debugging problems that were caused by a sneaky hidden trigger.
Clearly your users are much smarter than mine. It helps to be
reminded occassionally that curious and dangerously informed users can
be MUCH worse than babysitting :)
I think you are correct that relying on anything in Access for
security is leaving loopholes open. You may want to consider using
Views and granting permissions to those instead of to the tables
themselves. This does increase your security options. I don't think
that this is a security issue with bound forms, since it doesn't stop
a user from connecting directly to the tables via Access.
It does make one think that runtime versions would be better, but that
doesn't prevent a user from installing Access (if they have insall
priviledges) and doing the same thing.
To resolve this particular issue: First, is there a good reason for
the users to have UPDATE and DELETE priviledges, even if only on their
own comments?
If so, then I would consider a separate table which tracks
modification dates and times and the user ID via UPDATE trigger on the
Bugs_Comments_a nd_Suggestions table. You may also wish to use the
same insert statement into the tracking table to track INSERTs and
DELETEs with triggers. These tables should be restricted to SA only.
I have many tables with critical information that have a DELETE
trigger which saves the deleted info to a near duplicate table (i.e.
Table and Table_Deleted) that only the sa has priviledges to. It has
saved my butt a few times since it is quick and easy to extract the
data -- and who deleted it -- when the situation arises.
Alternately, you could assign permissions at the column level, and
include a modification date and time column that the users do not have
access to. This only stores the last change, though.
Lyle Fairfield <Lo******@FFDBA .Com> wrote in message news:<Xn******* ************@13 0.133.1.4>... There is an MS-SQL table named Bugs_Comments_a nd_Suggestions.
There is a form named Bugs_Comments_a nd_Suggestions.
To allow John Doe to use this form, we GRANT him LOGIN and ACCESS permissions
to the db and SELECT permissions on the stored procedure which is the record
source for the BOUND form.
To allow John Doe to "UPDATE, INSERT, DELETE" using the BOUND form, we GRANT
John Doe "UPDATE, INSERT, DELETE" permissions on the table,
Bugs_Comments_a nd_Suggestions.
Our application enters some unique identifier for John Doe into the table,
Bugs_Comments_a nd_Suggestions, when he INSERTS a new record, and limits him
to UPDATING and DELETING records with that unique identifier, that is records
which he has created.
SO far so good, but John Doe decides he like Access and one day, when he has
a little time on his hand he decides to create his own ADP. He chooses the
option "Project, Existing Data"; a dialog box appears and he finds that the
MS-SQL server in which the table, Bugs_Comments_a nd_Suggestions lives is
listed. He chooses that. He chooses Windows Integrated Security, or uses the
SQL logon and the password he has for the application already described. He
finds a list box of Databases and chooses, again, the one where the table,
Bugs_Comments_a nd_Suggestions, lives. Then he clicks O.K. and up pops the
database window with the tables, including table,
Bugs_Comments_a nd_Suggestions. He double clicks on this table and it opens in
datasheet view.
We gave him "UPDATE, INSERT, DELETE" on this table and restricted his access
in the application itself.
But now John is in another application. The MS-SQL database does not know
this; it knows only that John has "UPDATE, INSERT, DELETE" permissions on the
table. John chooses one of Jane Doe's Suggestions and edits it to say
something extremely rude about the Department Head.
He then closes and deletes his little ADP.
The next day, Jane Doe's contract is terminated.
Do you have comments? Am I missing something about ADPS and BOUND forms and
their inherent vulnerability?
Yes, I know I could make a table for every John Doe, but multiply the number
of John Does by the number of required tables and one gets quite a large
number of tables, (about 10500 in the application which has prompted me to
write this), and specific permissions to be granted.
And of course, I am not so much worried about one table; many tables could
have this vulnerability.
Well, I'm going to read Robert Vieira's (WROX Professional SQL Server 2000
Programming) chapter on Security now, and I hope that I find that my thinking
is in error, and that I don't have to change my approach on security, or stop
using BOUND forms.
Or maybe someone here will explain how to deal with the problem I have
outlined.
--
Lyle
--
use iso date format: yyyy-mm-dd
http://www.w3.org/QA/Tips/iso-date
Lyle Fairfield <Lo******@FFDBA .Com> wrote in
news:Xn******** ***********@130 .133.1.4: Well, I'm going to read Robert Vieira's (WROX Professional SQL Server
2000 Programming) chapter on Security now, and I hope that I find that
my thinking is in error, and that I don't have to change my approach on
security, or stop using BOUND forms.
Thanks to everyone who replied. Here's my current plan.
I'm going to:
1. revoke all John Doe's permissions, but not his login or db access;
2. create an application role, "Whomever" with a password, "Whatever";
3. grant, to the application role, the permissions I removed from John Doe;
4. when John Doe opens the ADP, run code that sets (or activates) the
approle,(this restricts the CONNECTION to the context of the approle),
together with the encrypted password (I'm planning to use the CryptAPI in
the code so that the password is not openly avilable using some hex
browser);
5. Now John Doe will have the permissions of the approle, but only while he
is using the ADP which in itself determines what John can do; if he opens
the db in another context, say another ADP, he has no permissions at all.
That's it folks; maybe I'll be able to sleep tonight and get going on this
in the morning. Unless of course someone has an "UH OH" for me.
--
Lyle
--
use iso date format: yyyy-mm-dd http://www.w3.org/QA/Tips/iso-date
--
The e-mail address isn't, but you could use it to find one.
> I'm going to:
1. revoke all John Doe's permissions, but not his login or db access;
2. create an application role, "Whomever" with a password, "Whatever";
3. grant, to the application role, the permissions I removed from John Doe;
4. when John Doe opens the ADP, run code that sets (or activates) the
approle,(this restricts the CONNECTION to the context of the approle),
together with the encrypted password (I'm planning to use the CryptAPI in
the code so that the password is not openly avilable using some hex
browser);
5. Now John Doe will have the permissions of the approle, but only while he
is using the ADP which in itself determines what John can do; if he opens
the db in another context, say another ADP, he has no permissions at all.
That's it folks; maybe I'll be able to sleep tonight and get going on this
in the morning. Unless of course someone has an "UH OH" for me.
Nice solution. Let us know how it works out. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Lyle Fairfield |
last post by:
I have developed ADPs now for three years, in Ac2K and AcXP. I have sold
two ADP applications for > $30,000 USD, one to a large company in Atlanta,
and one to a local (Ontario, Canada) school board, and numerous smaller
ones.
Initially my applications have started as accessing MS-SQL Server over the
internet. For development purposes I use MSDE, or rent an SQL Server DB
from my site provider for $15 USD monthly. The "school board"...
|
by: Lyle Fairfield |
last post by:
Recently I've used ADPs in ways in which I have not previously used MDBs.
I've been encouraged to do so because of ADPs clear separation from the
data in the db, and by their ability to use MS-SQL permissions to
compartmentalize things.
1. Recently I've received requests for spin-offs from an installed
application, mostly to accommodate other departments in the same
organization who want reports based on the data input and generated by...
|
by: NWx |
last post by:
Hi,
I developed a small test app using ASP.NET. I left the vistual folder to be
accessible only with windows integrated security.
I try to access that app from another PC in my LAN. I don't have a domain
controller, the lan works with Workgroup.
When I access that page, I get a user login dialog, aking me to enter
username / password
|
by: Andrew |
last post by:
Hey all,
I would like to preface my question by stating I am still learning ASP.net
and while I am confident in the basics and foundation, the more advanced
stuff is still a challenge. Ok. :)
|
by: Mohamed Zaki |
last post by:
Dear All,
I've develop asp.net solution to enumerate the domain users, this
solution using Windows Integrated Authentication, however on the staging
server it's working fine, but when moving the the live server, it throws
errors and i've to set the "UserName" and "Password" for the directory Entry
to be able to enumerate the users !!, i don't know why this happen although
i'm using domain integrated authentication, and it was working fine...
| | |
by: Brian |
last post by:
Is there any update as to whether or not impersonation can be used with
SQL session state when using integrated security? Are there any work
arounds? For example giving the impersonation account access to the
state database?
I've only found some old information.
Any comments appreciated!!
|
by: Bob |
last post by:
I would like to use integrated security for DB connection for my ASP.NET
applications. Since these apps have different databases (SQL Server), I
want each app to be able to access its own database. Say if I have 10 apps,
I'd need 10 logins, one login for each DB. Now throw in the windows
integrated security, I need 10 windows account. However, in order to run an
ASP.NET app under a certain identity, it has to have its own application...
|
by: Mr Newbie |
last post by:
Hi,
Im in a situation where I need to restrict users, but I dont have access or
wont be allowed access to manage groups in the domain. How can I restrict
access is this case ?
--
Best Regards
|
by: Dariusz Tomon |
last post by:
I got an ASPNET C# project from client. When I'm trying to open it in Visual
Studio I get error message:
"Unable to start debugging on the web server. Debugging failed because
integrated Windows authentication is not enabled. Please see Help for
assistance" - What could be the problem?
Any suggestion will be appreciate.
D.T.
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
