473,323 Members | 1,589 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Security: some default system.mdw files can get into the app without prompt

We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.
Nov 13 '05 #1
3 1654
On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.

Nov 13 '05 #2
On Tue, 04 Oct 2005 19:15:20 -0700, Steve Jorgensen
<no****@nospam.nospam> wrote:

I checked that: all objects are owned by a new "dbOwner" superuser,
and user Admin has no rights to any object. I was shocked when I saw
that for user Admin for example Open/Run Database was revoked, yet
there I was... Perhaps I should take a screenshot.

Good point about the Admins group, I'll need to check that tomorrow.

-Tom.

On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.


Nov 13 '05 #3
On Tue, 04 Oct 2005 19:09:32 -0700, Tom van Stiphout
<no*************@cox.net> wrote:

That was it: the Admins group still had full rights. Unsure if the
Security Wizard skipped a step, or the developer.

-Tom.
On Tue, 04 Oct 2005 19:15:20 -0700, Steve Jorgensen
<no****@nospam.nospam> wrote:

I checked that: all objects are owned by a new "dbOwner" superuser,
and user Admin has no rights to any object. I was shocked when I saw
that for user Admin for example Open/Run Database was revoked, yet
there I was... Perhaps I should take a screenshot.

Good point about the Admins group, I'll need to check that tomorrow.

-Tom.

On Tue, 4 Oct 2005 18:20:19 -0700, "Tom van Stiphout"
<tv**********@no.spam.kinetik-it.com> wrote:
We secured an Access MDB for a client, using the Access 2000 (or above -
still trying to find that out) security wizard. I trust the developer who
did this, and the screendumps of the process don't give any indication he
missed a step, or got an error, etc.
On several machines in our office, if you try to open the database without
the special system.mdw, you correctly get an error "You do not have the
necessary permissions...". With that special mdw, it correctly prompts for
user/pw.
I got the default system.mdw from our client, and using that one, I can open
the db without any error or prompt for user/pw.
I thought I understood security pretty well, but this one has me stumped.
Anyone?
Thanks,
-Tom.


Whenever you use a workgroup file in which a password has not been assigned to
the Admin user, you automatically log in as Admin and are not asked for a
password. This is not a problem for security if the database is properly
secured.

If the default Admin user has permissions non-authorized users should not have
in your database, then it sounds like one of the common Access security
mistakes may have been made. For a database to be properly secure, it must
-not- be owned by the built-in Admin account (meaning it cannot have been
created by that user), and all unwanted Admin and Admins permissions must be
removed. You may know all that, but just covering all the bases.


Nov 13 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: travelling_nerd | last post by:
Folks: I have some zip files I'd like to serve to authenticated users on my site, but would like to prevent unauthorized users from using an absolute path to get to these zip files. For example...
3
by: Andrew | last post by:
Hi expert, By using FileSystemObject, I want a specific user from the server to write and delete folders, and not allow the IUSER_<server> to do that. Is it possible? If yes, how I can do that?...
7
by: Newbillian | last post by:
Is there some way of using vba to automate the processe of joining an Access 97 security workgroup? I typed wrkgadm /? at a command prompt and it just opens the gui, so I'm not sure what the...
5
by: Jeff Amiel | last post by:
Yes, I've read the FAQ's... I'm still confused. I'm trying to help out a buddy to extract data from an .mdb file that has special 'permissions' on it. If I try to open it with the standard...
2
by: TechBoy | last post by:
I am trying to learn on the fly about Access Security for an app we are developing. I realize Access security is an advanced subject with many details. I wanted to share a scenario and ask a...
5
by: Greg Strong | last post by:
Hello All, What are the best ways to implement security for Access databases (i.e. ..MDB files)? I ask the question from a general perspective. Why? Well I had written a prototype database...
29
by: Patrick | last post by:
I have the following code, which regardless which works fine and logs to the EventViewer regardless of whether <processModel/> section of machine.config is set to username="SYSTEM" or "machine" ...
2
by: John Kotuby | last post by:
Hello all, Note: This is the full version of a Post that I inadvertently sent before it was complete. About a year ago I wrote a VB.NET 2003 solution that consists of a number of assemblies...
4
by: mrouleau | last post by:
I am sorry if this is the wrong group to ask, if so please point me in the correct direction. My problem is I have an MDB file with user-level security on it (mdw). When i move it over to a...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.