Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be handled
via VB.NET and I am not sure about some of the security aspects. I am going
the .NET route as part of the application involves using a Pocket PC and I
don't want part to involve deploying msaccess.exe and so on as well as the
..NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP
queries except when called from an Access form by putting a function in the
query which checks where it is being called from by using CurrentObjectType.
I am looking for something similar to use with VB.NET. However, as far as I
can see, if the VB.NET app calls the RWOP query in the Access database,
there is not much you can do to stop them calling the RWOP query themselves,
e.g. from their own Access database. My question is: How to I stop users
from running queries or accessing tables in the Access back end while still
giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done things
like:
1) Use user-level security.
2) Develop using one MDW file, but not allow users to use this. Instead they
use the default system.mdw. Users, therefore, enter the app as the Admin
user from system.mdw and the app then checks their Windows ID to specify
which parts of the app they can access.
3) Do a proper removal of the Shift bypass stuff so they are forced into
running code that picks up their Windows ID. Either that or ID's are held in
tables and used from there, with the users having to enter an ID and
password to authenticate themselves.
The problem seems to be that if I am using user-level security for the
Access database, VB.NET requires a user ID and password for this that also
requires the existence of - and physical access to - an MDW file with those
details in. This is where the security hole appears to be. As many people
know, if a user has physical access to a .mdw file, there are tools around
that will let them see all groups, ID's and passwords in that .mdw file. I
also know that it is possible for some people to break into a .mdb file even
without the developer's .mdw file, but if people are that desperate to get
into my app, well, they need to get a life. The level of sensitivity of the
data is such that I need "only" to stop people running RWOP queries that
they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name, e.g.
MyPretendName.dll, and try and hide it somewhere on the user's PC other than
in the application's own folder, in which case I then need to find a way of
deploying it there and I haven't got that far in my understanding of .NET
application deployment to be able to do that. It doesn't appear a very
robust way to do it either.
Any help would be much appreciated. I don't expect this is the first time
anyone has wanted to know the answer to this.
Alan Cossey
PS Using SQL Server or the like is not an option.
2  1979 
Freeserve wrote: Not sure whether this is the right group, but I can't find anything in the
.NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be handled
via VB.NET and I am not sure about some of the security aspects. I am going
the .NET route as part of the application involves using a Pocket PC and I
don't want part to involve deploying msaccess.exe and so on as well as the
.NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP
queries except when called from an Access form by putting a function in the
query which checks where it is being called from by using CurrentObjectType.
I am looking for something similar to use with VB.NET. However, as far as I
can see, if the VB.NET app calls the RWOP query in the Access database,
there is not much you can do to stop them calling the RWOP query themselves,
e.g. from their own Access database. My question is: How to I stop users
from running queries or accessing tables in the Access back end while still
giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done things
like:
1) Use user-level security.
2) Develop using one MDW file, but not allow users to use this. Instead they
use the default system.mdw. Users, therefore, enter the app as the Admin
user from system.mdw and the app then checks their Windows ID to specify
which parts of the app they can access.
3) Do a proper removal of the Shift bypass stuff so they are forced into
running code that picks up their Windows ID. Either that or ID's are held in
tables and used from there, with the users having to enter an ID and
password to authenticate themselves.
The problem seems to be that if I am using user-level security for the
Access database, VB.NET requires a user ID and password for this that also
requires the existence of - and physical access to - an MDW file with those
details in. This is where the security hole appears to be. As many people
know, if a user has physical access to a .mdw file, there are tools around
that will let them see all groups, ID's and passwords in that .mdw file. I
also know that it is possible for some people to break into a .mdb file even
without the developer's .mdw file, but if people are that desperate to get
into my app, well, they need to get a life. The level of sensitivity of the
data is such that I need "only" to stop people running RWOP queries that
they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name, e.g.
MyPretendName.dll, and try and hide it somewhere on the user's PC other than
in the application's own folder, in which case I then need to find a way of
deploying it there and I haven't got that far in my understanding of .NET
application deployment to be able to do that. It doesn't appear a very
robust way to do it either.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Why not use SQL Server CE ("the compact database"). See this URL: http://www.microsoft.com/sql/CE/default.asp
The .NET newsgroups are on Microsoft news servers:
microsoft.public.dotnet.languages.csharp
microsoft.public.dotnet.languages.vb (not sure)
--
MGFoster:::mgf00 <at> earthlink <decimal-point> net
Oakland, CA (USA)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBQIW90YechKqOuFEgEQLbWgCg9T1HUPU1yQPHAUn1qPaE6I 1CNAMAn1MW
oZRu2yzCTMazXFPUEQU4TXLn
=WDbC
-----END PGP SIGNATURE-----
"MGFoster" <me@privacy.com> wrote in message
news:g5*****************@newsread1.news.pas.earthl ink.net... Freeserve wrote:
Not sure whether this is the right group, but I can't find anything in
the .NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an Access database to hold data which will be
handled via VB.NET and I am not sure about some of the security aspects. I am
going the .NET route as part of the application involves using a Pocket PC and
I don't want part to involve deploying msaccess.exe and so on as well as
the .NET stuff. Including a .mdb file in with the .NET stuff is OK.
With an Access front end it is possible to stop users from running RWOP
queries except when called from an Access form by putting a function in
the query which checks where it is being called from by using
CurrentObjectType. I am looking for something similar to use with VB.NET. However, as far
as I can see, if the VB.NET app calls the RWOP query in the Access database,
there is not much you can do to stop them calling the RWOP query
themselves, e.g. from their own Access database. My question is: How to I stop users
from running queries or accessing tables in the Access back end while
still giving my VB.NET "front end" sufficient access, please?
When I've done Access apps that require reasonable security I've done
things like:
1) Use user-level security.
2) Develop using one MDW file, but not allow users to use this. Instead
they use the default system.mdw. Users, therefore, enter the app as the Admin
user from system.mdw and the app then checks their Windows ID to specify
which parts of the app they can access.
3) Do a proper removal of the Shift bypass stuff so they are forced into
running code that picks up their Windows ID. Either that or ID's are
held in tables and used from there, with the users having to enter an ID and
password to authenticate themselves.
The problem seems to be that if I am using user-level security for the
Access database, VB.NET requires a user ID and password for this that
also requires the existence of - and physical access to - an MDW file with
those details in. This is where the security hole appears to be. As many
people know, if a user has physical access to a .mdw file, there are tools
around that will let them see all groups, ID's and passwords in that .mdw file.
I also know that it is possible for some people to break into a .mdb file
even without the developer's .mdw file, but if people are that desperate to
get into my app, well, they need to get a life. The level of sensitivity of
the data is such that I need "only" to stop people running RWOP queries that
they shouldn't be running.
The best I can think of is to give the .mdw file a non-standard name,
e.g. MyPretendName.dll, and try and hide it somewhere on the user's PC other
than in the application's own folder, in which case I then need to find a way
of deploying it there and I haven't got that far in my understanding of
..NET application deployment to be able to do that. It doesn't appear a very
robust way to do it either.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Why not use SQL Server CE ("the compact database"). See this URL:
http://www.microsoft.com/sql/CE/default.asp
The .NET newsgroups are on Microsoft news servers:
microsoft.public.dotnet.languages.csharp
microsoft.public.dotnet.languages.vb (not sure)
--
MGFoster:::mgf00 <at> earthlink <decimal-point> net
Oakland, CA (USA)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBQIW90YechKqOuFEgEQLbWgCg9T1HUPU1yQPHAUn1qPaE6I 1CNAMAn1MW
oZRu2yzCTMazXFPUEQU4TXLn
=WDbC
-----END PGP SIGNATURE-----
Thanks for replying. As far as I am aware SQL Server CE only works on
devices running the .NET Compact Framework and, though my app will include
this and I may well use SQLSCE for that part, I want to use Jet/Access to
store data on the PC for various reasons, rather than use SQL Server / MSDE
2000.
Alan This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data...
|
by: Freeserve |
last post by:
Not sure whether this is the right group, but I can't find anything in the
..NET groups and my apologies if this has already been covered or is
considered "off subject".
I am looking at using an...
|
by: robert demo via AccessMonster.com |
last post by:
I've done all the recommended things with workgroup security, creating a
..mde file, and splitting the application into a front end and, in my case,
multiple backends.
The problem is that users...
|
by: christopher_mouse |
last post by:
I have a split Access 97 database that I've been asked to secure. The
data is sensitive and users include programmers who are routinely
accessing the data directly, so I plan to remove all...
|
by: Mike MacSween |
last post by:
Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can...
|
by: TechBoy |
last post by:
Re:Access 2002
If I base my form on an RWOP query, can I dynamically select from an
RWOP query result set to display on the form? Does someone have an
example?
Thanks.
|
by: DFS |
last post by:
Architecture: Access 2003 client, Oracle 9i repository, no Access security
in place, ODBC linked tables.
100 or so users, in 3 or 4 groups (Oracle roles actually): Admins, Updaters
and ReadOnly....
|
by: google |
last post by:
I am creating a new database for use within our company, that I'd like
to make reasonably secure (short of a true server based solution). The
back-end of a non-server based database seems to be...
|
by: zwasdl |
last post by:
Some of my queries take 1 hour to run, can I run other queries in
access while waiting on the first query? If so, how can I do it?
Thanks a lot,
Wei
|
by: Max Vit |
last post by:
I have deployed few Access apps splitting it in Front End and Back
End. Our environment uses Win XP SP2 for clients, Win 2k3 for servers
and Access 2003. The max. number of clients is about 50...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| | |
