469,286 Members | 2,422 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,286 developers. It's quick & easy.

Using Access database and security concerns

Hi All,

I am working on a web site in asp which will be hosted on a Windows 2003
server.

I use the following code to connect to the database:

Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS1 = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "Microsoft.Jet.OLEDB.4.0"
dbpath = "C:\WWW\dbfolder\database.mdb"
objConn.ConnectionString = "Data Source=" & dbpath
objConn.Open

The administrator of the server agrees to set the security for the database
to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the internet
user. At present, when I open the database I can read it, but when I try to
insert or update records, it will fail if the root folder for the database
doesn't have write permission for the internet user, IUSR. As far as I know,
when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides. I can place the database outside the
internet folder if I need to. I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the database
folder or to download it.
Do I need to setup a username and password on the Access database, is there
any point in doing that?
Please advise what is the best way of connection to the database in order to
have maximum security and what settings to I need to do in order to achieve
this.

Regards
Nicolae
Jul 22 '05 #1
4 2347

"Nicolae Fieraru" <no****@please.com> wrote in message
news:e7**************@TK2MSFTNGP09.phx.gbl...
The administrator of the server agrees to set the security for the database to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the internet
user. At present, when I open the database I can read it, but when I try to insert or update records, it will fail if the root folder for the database
doesn't have write permission for the internet user, IUSR. As far as I know, when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides.
You are correct. So, for this reason, as it seems you know, the IUSR
account needs permissions to modify the ~directory~ in which the mdb exists.
It seems to me that server guy isn't employed by a hosting company.
I can place the database outside the
internet folder if I need to.
I suggest placing the database wherever makes sense to you and whatever's
easiest for you. Just make sure that IIS will not allow anyone to download
the file. (Turn off read writes in IIS.)
I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the database
folder or to download it.
Do I need to setup a username and password on the Access database, is there any point in doing that?


If someone is able to download your database, there are tools he can use to
get in. So, passwords in Access are generally meaningless. They're good in
a small office somewhere where you don't have any "computer-savvy" people.
But, in the scope of the entire world, it doesn't make a difference.

Ray at work

Jul 22 '05 #2
Hi Ray, thank you very much for your reply.

The server administrator is a guy I used to work with, he is still with my
previous company.
I do web design by myself. The customer has chosen me to do the web design
and they chose my previous company for further advice. They advised them to
buy a server from them and now I have to work with them in order to setup
the web site I made.
He told me he can't give me write permission to the root folder to the
database folder, because that creates a security breach to the server (for
the security concerns he didn't give me ftp access either :-) ). Now, the
customer listens only to what he sais and if he sais my web site is not
secure enough, I am in big trouble, because my customer has no technical
knowledge and they completely rely on what this guy tells them.
From what you say here, I understand that there is obligatory to allow
the internet user write permission for the database folder, right?
Is this safe enough, or it can create security problems? If that is the
case, is there a safer method which would keep happy my former coleague and
the customer?
I am asking you again because I just might send your reply to my
customer, in case the needs arises.

Regards,
Nicolae
"Ray Costanzo [MVP]" <my first name at lane 34 dot commercial> wrote in
message news:ej**************@TK2MSFTNGP09.phx.gbl...

"Nicolae Fieraru" <no****@please.com> wrote in message
news:e7**************@TK2MSFTNGP09.phx.gbl...
The administrator of the server agrees to set the security for the

database
to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the
internet
user. At present, when I open the database I can read it, but when I try

to
insert or update records, it will fail if the root folder for the
database
doesn't have write permission for the internet user, IUSR. As far as I

know,
when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides.


You are correct. So, for this reason, as it seems you know, the IUSR
account needs permissions to modify the ~directory~ in which the mdb
exists.
It seems to me that server guy isn't employed by a hosting company.
I can place the database outside the
internet folder if I need to.


I suggest placing the database wherever makes sense to you and whatever's
easiest for you. Just make sure that IIS will not allow anyone to
download
the file. (Turn off read writes in IIS.)
I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the
database
folder or to download it.
Do I need to setup a username and password on the Access database, is

there
any point in doing that?


If someone is able to download your database, there are tools he can use
to
get in. So, passwords in Access are generally meaningless. They're good
in
a small office somewhere where you don't have any "computer-savvy" people.
But, in the scope of the entire world, it doesn't make a difference.

Ray at work

Jul 22 '05 #3
<sigh>
Yes, if the database is in the root of the C: drive, then he's correct that
giving IUSR this access would be a security problem ...

However, nobody is suggesting that the database be in the root of the hard
drive are they? What possible harm can be done to the server if IUSR is
given read/write authority (NOT Full authority) to a subfolder on that hard
drive? The administrator needs to be encouraged to do some research.

If using Access, then there is no alternative: IUSR (and possibly IWAM) MUST
have read/write (aka Change or Modify depending on the OS) permissions for
the folder containing the database file. The only alternative is to switch
to using a server-based database such as SQL Server, or MySQL, or PostGRE

Bob Barrows

Nicolae Fieraru wrote:
Hi Ray, thank you very much for your reply.

tells them. From what you say here, I understand that there is
obligatory to allow
the internet user write permission for the database folder, right?
Is this safe enough, or it can create security problems? If that is
the case, is there a safer method which would keep happy my former
coleague and the customer?
I am asking you again because I just might send your reply to my
customer, in case the needs arises.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 22 '05 #4
Thank you very much Bob for your reply.
Jul 22 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by David ROBERT | last post: by
5 posts views Thread by Scott McDaniel | last post: by
6 posts views Thread by Marina | last post: by
6 posts views Thread by Jonathan Wood | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.