469,319 Members | 2,373 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,319 developers. It's quick & easy.

Security: some default system.mdw files can get into the app without prompt

We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.
Nov 13 '05 #1
3 1508
On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.

Nov 13 '05 #2
On Tue, 04 Oct 2005 19:15:20 -0700, Steve Jorgensen
<no****@nospam.nospam> wrote:

I checked that: all objects are owned by a new "dbOwner" superuser,
and user Admin has no rights to any object. I was shocked when I saw
that for user Admin for example Open/Run Database was revoked, yet
there I was... Perhaps I should take a screenshot.

Good point about the Admins group, I'll need to check that tomorrow.

-Tom.

On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.


Nov 13 '05 #3
On Tue, 04 Oct 2005 19:09:32 -0700, Tom van Stiphout
<no*************@cox.net> wrote:

That was it: the Admins group still had full rights. Unsure if the
Security Wizard skipped a step, or the developer.

-Tom.
On Tue, 04 Oct 2005 19:15:20 -0700, Steve Jorgensen
<no****@nospam.nospam> wrote:

I checked that: all objects are owned by a new "dbOwner" superuser,
and user Admin has no rights to any object. I was shocked when I saw
that for user Admin for example Open/Run Database was revoked, yet
there I was... Perhaps I should take a screenshot.

Good point about the Admins group, I'll need to check that tomorrow.

-Tom.

On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.


Nov 13 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Andrew | last post: by
5 posts views Thread by Jeff Amiel | last post: by
5 posts views Thread by Greg Strong | last post: by
29 posts views Thread by Patrick | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by Gurmeet2796 | last post: by
reply views Thread by mdpf | last post: by
reply views Thread by listenups61195 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.