Results 1 to 3 of 3
  1. #1
    3 Star Lounger
    Join Date
    Dec 2001
    Location
    Royal Oak, Michigan, USA
    Posts
    255
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security (V2000)

    We have an access database that is password protected. I've heard of the MS Access password vulnerabilities but wasn't certain how true the stories were. Our IT Department is now discouraging us forcing us to either revise or abandon a database we built because of security concerns as someone on their team was able to hack into the database. Here is their position:

    -Threat
    The Allstate Reporting.mdb file contains report information as well as a users table for the reporting application. To protect the information in the file, Microsoft Access Password Protection is used.

    -Impact
    Using a free application from the Internet it is possible to decode the MS Access password and gain access to the users table in the mdb file. Using this information an Attacker can then leverage all data in the tables.

    -Solution
    MS Access password protection is extremely insecure and easy to crack and should never be used to protect information that is considered confidential. Stronger encryption should be used for sensitive information.

    ***What options do I have?
    Thanks!

  2. #2
    4 Star Lounger
    Join Date
    Jan 2002
    Location
    Brookings, South Dakota, USA
    Posts
    449
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security (V2000)

    My opinion:
    First, if not done already, split the db into a front-end (queries, forms, reports, modules) and back-end (data tables). Then, if possible, move the back-end to an instance of sql server by importing them into a database. If that is not quite possible move it to sql server 2005 express. On either server you can access your data (via odbc's or using ActiveX Data Objects [ADO]). This way you can use sql server's security (as well as Windows) to answer and defeat all 3 of IT's concerns.

    A very good starting point on Access security and very highly recommended is:
    WendellB's The Secrets of security.
    <IMG SRC=http://www.wopr.com/w3tuserpics/gdrezek_sig.jpg>
    "Those who dance are considered insane by those who can't hear the music" - George Carlin

  3. #3
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Vancouver, Br. Columbia, Canada
    Posts
    632
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security (V2000)

    1) Split the database. Each use gets a copy of the frontend, the backend goes on the server. Mount it in a share on the server where the network permissions only allow the authorized people to see the file.

    2) Apply full User-Level Security to the backend -- the simple password that you used is insufficient. See the website in my signature for links to several articles.

    1 & 2 are mandatory if you stay within the Access environment. If you find them to be insufficient (and they can be for some situations) and if you want "bulletproof" security, move the backend to an SQL server as already suggested.
    --------------------------------------------------
    Jack MacDonald
    Vancouver, Canada

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •