473,700 Members | 2,453 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

User/Group Security -- Just How Bad Is It?

TC
In the past I always regarded user/group security as fairly tight. It
is tricky to implement, but once implemented properly, it can't be
cracked except through a dedicated effort.

Recently, however, I saw something which greatly lowered my opinion of
user/group security. I sent a secured database to a colleague. I forgot
to send him the workgroup file, but that didn't slow him down at all.
The next day, he sent me the work I had requested and, as an aside,
mentioned that he built his own version of the workgroup file -- then
he listed every user/PID combination used in the app. In other words,
he had completely cracked the security. I asked him how he did it, and
he said he used a tool downloaded from the internet. We happened to be
using Access 2000, but he says it works just as well with Access 2003.

Based on that experience, Access security now looks extremely weak to
me. Before I reach that conclusion, however, I want to post on the
newgroup for a reality check. Did I make some amateur mistake when
securing the application? (i.e. "Duh! If you don't check the woo-woo
box on the fizziwig form, of course everybody can see your user/PID
data!") Or is user/group security truly weak, and I'm just the last to
know? (i.e. "You didn't know user/group security was worthless? Have
you been living in a cave?")

To put my concerns in the form of a specific question: Is Access
security really so weak that a properly secured Access application can
be completely cracked in less than a minute using software downloaded
from the internet?

It would be good to know.
-TC

Jun 5 '06 #1
17 2675
The obvious first question is "Did you remove ALL permission from the Admin
user before sending the app out?" If you don't do this, your database is
not secure, period.
Jun 5 '06 #2
TC, the answer to your question is basically, Yes.

I understand that Access 2007 won't bother with security in the new accdb
format.

--
Allen Browne - Microsoft MVP. Perth, Western Australia.
Tips for Access users - http://allenbrowne.com/tips.html
Reply to group, rather than allenbrowne at mvps dot org.

"TC" <go*********@ya hoo.com> wrote in message
news:11******** **************@ g10g2000cwb.goo glegroups.com.. .
In the past I always regarded user/group security as fairly tight. It
is tricky to implement, but once implemented properly, it can't be
cracked except through a dedicated effort.

Recently, however, I saw something which greatly lowered my opinion of
user/group security. I sent a secured database to a colleague. I forgot
to send him the workgroup file, but that didn't slow him down at all.
The next day, he sent me the work I had requested and, as an aside,
mentioned that he built his own version of the workgroup file -- then
he listed every user/PID combination used in the app. In other words,
he had completely cracked the security. I asked him how he did it, and
he said he used a tool downloaded from the internet. We happened to be
using Access 2000, but he says it works just as well with Access 2003.

Based on that experience, Access security now looks extremely weak to
me. Before I reach that conclusion, however, I want to post on the
newgroup for a reality check. Did I make some amateur mistake when
securing the application? (i.e. "Duh! If you don't check the woo-woo
box on the fizziwig form, of course everybody can see your user/PID
data!") Or is user/group security truly weak, and I'm just the last to
know? (i.e. "You didn't know user/group security was worthless? Have
you been living in a cave?")

To put my concerns in the form of a specific question: Is Access
security really so weak that a properly secured Access application can
be completely cracked in less than a minute using software downloaded
from the internet?

It would be good to know.
-TC

Jun 5 '06 #3
By the way, I"m certainly curious to know the name of the software you used
to crack access security.

If you're talking about a database password, that was never considered very
strong, ever. It was for keeping casual users from making mischief
accidentally, in my opinion.

If you're talking genuine Access user/group security, I'm very interested in
the name of that software.
Jun 5 '06 #4
Allen Browne wrote:
TC, the answer to your question is basically, Yes.

I understand that Access 2007 won't bother with security in the new accdb
format.

In a multi-user LAN environment, I like to use the Operating System
security for who has access to the application. That is pretty secure.
Then my Access security is to limit who can see and do what, among the
authorized users.

But yes one of the authorized users can get password cracking software.
In a company there are usually "administra tive sanctions" than can
be brought to bear on people accessing data/information they are not
authorized to access.

Also, last time I looked, I did not find any free Access cracking
software. If still the case, the fee for such cracking software might
be a minor deterrant.

Bob
Jun 5 '06 #5
TC
Allen,

Thanks for the direct answer.

I would be very disappointed if the security features are discontinued
in Access 2007. To me, user/group security would be a very good system,
if only it worked. Let's hope they fix it instead of abandoning it.

-TC
Allen Browne wrote:
TC, the answer to your question is basically, Yes.

I understand that Access 2007 won't bother with security in the new accdb
format.

--
Allen Browne - Microsoft MVP. Perth, Western Australia.
Tips for Access users - http://allenbrowne.com/tips.html
Reply to group, rather than allenbrowne at mvps dot org.


Jun 5 '06 #6
TC
Bob,

It looks like I need a new approach to security. I think I'll start
with the one you recommend.

It sounds like you use a dual log-in system. When they boot the
computer, users log-in to the operating system. When they start the
app, they log-in to the application. The second log-in seems
inefficient to me. If you are relying on the operating system security
anyway, why not use the OS account to govern the behavior of the app
instead of maintaining a redundant workgroup account?

-TC
Bob Alston wrote:
In a multi-user LAN environment, I like to use the Operating System
security for who has access to the application. That is pretty secure.
Then my Access security is to limit who can see and do what, among the
authorized users.

But yes one of the authorized users can get password cracking software.
In a company there are usually "administra tive sanctions" than can
be brought to bear on people accessing data/information they are not
authorized to access.

Also, last time I looked, I did not find any free Access cracking
software. If still the case, the fee for such cracking software might
be a minor deterrant.

Bob


Jun 5 '06 #7
"TC" <go*********@ya hoo.com> wrote in
news:11******** **************@ u72g2000cwu.goo glegroups.com:
It sounds like you use a dual log-in system. When they boot the
computer, users log-in to the operating system. When they start
the app, they log-in to the application. The second log-in seems
inefficient to me. If you are relying on the operating system
security anyway, why not use the OS account to govern the behavior
of the app instead of maintaining a redundant workgroup account?


I would love to do this, but have not yet found explanations of the
API to Active Directory that makes any sense to me. I'd be delighted
to use NT user group membership to control access in my Access apps.

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/
Jun 5 '06 #8
David W. Fenton wrote:
"TC" <go*********@ya hoo.com> wrote in
news:11******** **************@ u72g2000cwu.goo glegroups.com:

It sounds like you use a dual log-in system. When they boot the
computer, users log-in to the operating system. When they start
the app, they log-in to the application. The second log-in seems
inefficient to me. If you are relying on the operating system
security anyway, why not use the OS account to govern the behavior
of the app instead of maintaining a redundant workgroup account?

I would love to do this, but have not yet found explanations of the
API to Active Directory that makes any sense to me. I'd be delighted
to use NT user group membership to control access in my Access apps.

If you are replying to my post, yes, I do use both the OS security to
control access to the db. Then Access grabs the user ID from the OS and
establishes access privileges based on that ID. No second logon required.

Bob
Jun 5 '06 #9
However, I did find warez cracks for the commercial cracking software.

(david)
"Bob Alston" <bo********@yah oo.com> wrote in message
news:Er******** *****@fe03.lga. ..
Allen Browne wrote:
TC, the answer to your question is basically, Yes.

I understand that Access 2007 won't bother with security in the new accdb
format.

In a multi-user LAN environment, I like to use the Operating System
security for who has access to the application. That is pretty secure.
Then my Access security is to limit who can see and do what, among the
authorized users.

But yes one of the authorized users can get password cracking software. In
a company there are usually "administra tive sanctions" than can be brought
to bear on people accessing data/information they are not authorized to
access.

Also, last time I looked, I did not find any free Access cracking
software. If still the case, the fee for such cracking software might be
a minor deterrant.

Bob


However, I did find cracks for the commercial cracking software.

(david)

Jun 6 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1993
by: Brian Loesgen | last post by:
The next San Diego .Net User Group meeting is Tuesday, November 25, 2003 at the Scripps Ranch Library. Scripps Ranch Library 10301 Scripps Lake Drive San Diego, CA 92131-1026 Please join us at 6:00 pm for pizza and networking. The meeting starts at 6:30 pm.
3
16438
by: mrwoopey | last post by:
Hi, I am using the example "Authenticate against the Active Directory by Using Forms Authentication and Visual Basic .NET": http://support.microsoft.com/default.aspx?scid=KB;EN-US;326340 But I am having a problem figuring out the LDAP:// The LDAP:// that I pass looks like this (i substitued generic the
3
3079
by: martin | last post by:
Hi, I have a website that runs under Annotmous access. I am trying to find out the account that the page is running under the line Response.Write("<hr>" & Page.User.Identity.Name & "<hr>") does not write out the name of the account that the website is running under when it is running under annoymous access, however when the same page is run
5
2060
by: Norsoft | last post by:
I have a .Net 1.1 application which is downloaded into an aspx page. It is a dll which inherits from System.Windows.Forms.UserControl. It works fine on a PC with only the 1.1 Framework. However, the control will not load on a PC with the 2.0 Framework installed. I know that IE will use the newest framework so I assume it is a security issue. At the assembly level I apply the following attributes;
4
3529
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The objective in utilizing this new deployment method is to reduce the maintenance overhead as well as making it easier for my users to setup and run the application initially. I have VS 2002, Windows XP, Access XP(2000 format). He is my problem....
8
4898
by: Mark White | last post by:
Hey everyone I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this. I have a Windows app running on XP. I am able to caputre the user's Name property in the WindowsPrincipal's IIdentity interface. Where can I find the role that the user is assigned for the current login? I only want the one role which is assigned for the current user, not all of
9
5251
by: Brian Hampson | last post by:
I am trying to determine all the groups which the current user has permissions to add a member. Here's my code: foreach (System.DirectoryServices.SearchResult ADSearchres in ADSearch.FindAll()) { //ActiveDs.ADSearchres.Properties
8
4445
by: Michael Howes | last post by:
I have some code that manages local user logins. When I create a new user I want to set the password to expire every x days and the number of failed login attempts before the account is disable/locked out. I can't seem to figure out how. I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge but I can't seem to set them on the new user. my code looks like this DirectoryEntry newUser = null; ;
31
2788
by: zdenko | last post by:
I have a multi user database and users were created by user level security wizzard - as I mentioned in message before. Everything works fine for those users, but now I have another problem. I have another database with linked tables from secured database. How can I approach secured database from the unsecure one? Thx
0
8726
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9075
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8973
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8925
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7810
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6561
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4657
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3089
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2392
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.