473,406 Members | 2,713 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > using access database and security concerns

Join Bytes to post your question to a community of 473,406 software developers and data experts.

Using Access database and security concerns

Hi All,

I am working on a web site in asp which will be hosted on a Windows 2003
server.

I use the following code to connect to the database:

Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS1 = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "Microsoft.Jet.OLEDB.4.0"
dbpath = "C:\WWW\dbfolder\database.mdb"
objConn.ConnectionString = "Data Source=" & dbpath
objConn.Open

The administrator of the server agrees to set the security for the database
to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the internet
user. At present, when I open the database I can read it, but when I try to
insert or update records, it will fail if the root folder for the database
doesn't have write permission for the internet user, IUSR. As far as I know,
when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides. I can place the database outside the
internet folder if I need to. I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the database
folder or to download it.
Do I need to setup a username and password on the Access database, is there
any point in doing that?
Please advise what is the best way of connection to the database in order to
have maximum security and what settings to I need to do in order to achieve
this.

Regards
Nicolae
Jul 22 '05 #1
4 2636

"Nicolae Fieraru" <no****@please.com> wrote in message
news:e7**************@TK2MSFTNGP09.phx.gbl...
The administrator of the server agrees to set the security for the database to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the internet
user. At present, when I open the database I can read it, but when I try to insert or update records, it will fail if the root folder for the database
doesn't have write permission for the internet user, IUSR. As far as I know, when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides.
You are correct. So, for this reason, as it seems you know, the IUSR
account needs permissions to modify the ~directory~ in which the mdb exists.
It seems to me that server guy isn't employed by a hosting company.
I can place the database outside the
internet folder if I need to.
I suggest placing the database wherever makes sense to you and whatever's
easiest for you. Just make sure that IIS will not allow anyone to download
the file. (Turn off read writes in IIS.)
I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the database
folder or to download it.
Do I need to setup a username and password on the Access database, is there any point in doing that?


If someone is able to download your database, there are tools he can use to
get in. So, passwords in Access are generally meaningless. They're good in
a small office somewhere where you don't have any "computer-savvy" people.
But, in the scope of the entire world, it doesn't make a difference.

Ray at work

Jul 22 '05 #2
Hi Ray, thank you very much for your reply.

The server administrator is a guy I used to work with, he is still with my
previous company.
I do web design by myself. The customer has chosen me to do the web design
and they chose my previous company for further advice. They advised them to
buy a server from them and now I have to work with them in order to setup
the web site I made.
He told me he can't give me write permission to the root folder to the
database folder, because that creates a security breach to the server (for
the security concerns he didn't give me ftp access either :-) ). Now, the
customer listens only to what he sais and if he sais my web site is not
secure enough, I am in big trouble, because my customer has no technical
knowledge and they completely rely on what this guy tells them.
From what you say here, I understand that there is obligatory to allow
the internet user write permission for the database folder, right?
Is this safe enough, or it can create security problems? If that is the
case, is there a safer method which would keep happy my former coleague and
the customer?
I am asking you again because I just might send your reply to my
customer, in case the needs arises.

Regards,
Nicolae
"Ray Costanzo [MVP]" <my first name at lane 34 dot commercial> wrote in
message news:ej**************@TK2MSFTNGP09.phx.gbl...

"Nicolae Fieraru" <no****@please.com> wrote in message
news:e7**************@TK2MSFTNGP09.phx.gbl...
The administrator of the server agrees to set the security for the

database
to read/write by the internet user. He doesn't want to allow the root
folder for the database to have read and write permission for the
internet
user. At present, when I open the database I can read it, but when I try

to
insert or update records, it will fail if the root folder for the
database
doesn't have write permission for the internet user, IUSR. As far as I

know,
when the database it is open, it has to create a lock file (.ldb) in the
same folder where the database resides.


You are correct. So, for this reason, as it seems you know, the IUSR
account needs permissions to modify the ~directory~ in which the mdb
exists.
It seems to me that server guy isn't employed by a hosting company.
I can place the database outside the
internet folder if I need to.


I suggest placing the database wherever makes sense to you and whatever's
easiest for you. Just make sure that IIS will not allow anyone to
download
the file. (Turn off read writes in IIS.)
I asked the administrator to create a virtual
folder on that folder and now the internet users can't browse the
database
folder or to download it.
Do I need to setup a username and password on the Access database, is

there
any point in doing that?


If someone is able to download your database, there are tools he can use
to
get in. So, passwords in Access are generally meaningless. They're good
in
a small office somewhere where you don't have any "computer-savvy" people.
But, in the scope of the entire world, it doesn't make a difference.

Ray at work

Jul 22 '05 #3
<sigh>
Yes, if the database is in the root of the C: drive, then he's correct that
giving IUSR this access would be a security problem ...

However, nobody is suggesting that the database be in the root of the hard
drive are they? What possible harm can be done to the server if IUSR is
given read/write authority (NOT Full authority) to a subfolder on that hard
drive? The administrator needs to be encouraged to do some research.

If using Access, then there is no alternative: IUSR (and possibly IWAM) MUST
have read/write (aka Change or Modify depending on the OS) permissions for
the folder containing the database file. The only alternative is to switch
to using a server-based database such as SQL Server, or MySQL, or PostGRE

Bob Barrows

Nicolae Fieraru wrote:
Hi Ray, thank you very much for your reply.

tells them. From what you say here, I understand that there is
obligatory to allow
the internet user write permission for the database folder, right?
Is this safe enough, or it can create security problems? If that is
the case, is there a safer method which would keep happy my former
coleague and the customer?
I am asking you again because I just might send your reply to my
customer, in case the needs arises.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 22 '05 #4
Thank you very much Bob for your reply.
Jul 22 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
Microsoft Access read from linux python
by: David ROBERT | last post by:
Hello, I need to read data from a MS Access database. The program (reader) is installed on a linux box and is written in python langage. The database is MS Access 2002 installed on a Win XP box...
Python
43
Question on Using Partial Types with ASP.NET via J.I.T.
by: nospam | last post by:
I got three (3) files (1) Untitled.aspx (2) Untitled.aspx.1.cs (3) Untitled.aspx.2.cs These three files must be used together to make file #1, Untitled.aspx, page work via J.I.T. when the...
.NET Framework
5
SQL Server - Access synchronization
by: Scott McDaniel | last post by:
I have a VB app which stores information in an Access 2000 db. The VB app handles multiple users (it's a logbook type of application, users share lookup tables but don't share information among...
Microsoft SQL Server
6
Using integrated security
by: Marina | last post by:
Hi, I would like to give the ASPNET process that is running on my machine permission to connect to a sql server database that is on another machine. When I try to do this it says: 'Windows NT user...
ASP.NET
4
Windows Forms No-Touch Deployment problems using DAO on User-Level Secured Access DB to access groups
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The...
Visual Basic .NET
7
sitemaps - should we be using Google's sitemaps
by: JJ | last post by:
I'm playing aournd with my first asp.net 2.0 web site and looking at the Web.sitemap file. It seems there's a lot of publicity at the moment about Google's sitemaps and how they are supposed to...
ASP.NET
6
Using ASP.NET Configuration Tool Remotely?
by: Jonathan Wood | last post by:
The ASP.NET Configuration tool is great for quickly managing users in the database on my development machine. However, I don't see a way to use it to access the database on my Web server. Is...
ASP.NET
0
Re: using sqlite3 - execute vs. executemany; committing ...
by: David | last post by:
- Are there any peculiarities with using curs.executemany(...) vs. multiple How many times are you calling execute vs a single executemany? The python call overhead will add up for thousands of...
Python
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!