Results 1 to 11 of 11
  1. #1
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Edmonton, Alberta, Canada
    Posts
    326
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    Did you copy everything into a new database after removing Admin's permissions?

  2. #2
    New Lounger
    Join Date
    Jun 2002
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Access 2000 Security Loophole? (2000)

    Has anyone else experienced this loophole?
    edited by WendellB to activate link to MS Kbase article

    I have been able to duplicate this security loophole on several PCs, all which have only Access 2000 on it (no eariler or later versions of Access). If I set up security exactly as written in MS Access Help and Q254372 (which I have taught to rooms of people for years so I know I am meticulously following these instructions) and then join back to the original, unchanged system.mdw file when I'm all done, I can still log in as the Admin user, who still has all permissions to all objects and even has administrative permissions to modify security in the database!

    I am using the Workgroup Administrator with Access 2000 to create the MDW file, then using the Security menu to create users and groups and to remove the Admin user from the Admins group, and finally using the security wizard to remove all permissions of the Users group and remove the Admin's ownership of the database objects (which is what MS Access Help says to do). I hypothesize that the Admin user is not really removed from the Admin's group (or not really disabled). This apparent loophole does not exist in prior versions of Access. One theory to explain this behavior is that perhaps the SYSTEM.MDW Admins group is getting changed at the same time as I'm modifying MYSYSTEM.MDW.

    If I use the Access 2000 Security Wizard for the entire operation (a procedure not mentioned in MS Access Help) including the first step which is to create a new MDW file, then there is no security loophole. The Admin user is truly locked out even if I join back to the original system.mdw.

    This is pretty serious for people who are relying on the database to be secure and are counting on the official instructions from Microsoft to be the best way to proceed.
    Thanks- Sally

  3. #3
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: Access 2000 Security Loophole? (2000)

    As the article suggests, there are three things that will cause problems in attempting to secure a database:
    <UL><LI>You were logged in as the Admin user when you created the database - therefore Admin is the owner of the database and can always login
    <LI>You failed to remove the default permissions from the User group - by default the group Users can do anything to a database object, including logging in.
    <LI>The default system.mdw file is being used for security purposes.[/list]I've done this a number of times, and it does work, but the problem is to make certain that you haven't made even a small mistake somewhere in the 15 or 16 steps. Moral of the story - use the Security Wizard - it minimizes mistakes. BTW, use of the security wizard is mentioned in my help files, and is also referenced at the bottom of the KBase article. Hope this helps.
    Wendell

  4. #4
    New Lounger
    Join Date
    Jun 2002
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    Thank you for your reply! It gave me enough to think about to realize that my problem was switching to the Security Wizard to do the last few steps (removing the Admin's ownership, removing the User's Group permissions). This used to work fine in Access 97, but no longer is okay in Access 2000. I'm not sure why this doesn't work, though.

    I am now convinced that using all the manual steps in Q254372 is good and using exclusively the Security Wizard (as stated in MS Access Help topic "Securing a Database using the User-Level Security Wizard") is good, but switching from manual steps to Security Wizard is bad.

  5. #5
    New Lounger
    Join Date
    Jun 2002
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    Thanks for your reply. I thought that the Access 2000 Security Wizard took care of that part (copying objects into new database) like the Access 97 Security Wizard does, but maybe it does not.
    Sally

  6. #6
    Lounger
    Join Date
    Aug 2001
    Location
    Lanham, Maryland
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    Perhaps you can answer a question I have. I have a secured database in Access 97. I created a new database in Access 97 and imported all of the objects from the secure database with the goal of creating an unsecured database copy. I did this while logged in as a 'super' user. I then switched to the system.mdw workgroup and was able to successfully open and play around with the unsecured version. I passed this unsecured version to a colleague who has Access 2000. When this person attempted to open the unsecured Access 97 database, an message box appeared that stated that the person could not convert the database because they did not have the necessary permissions. This person is using the installed version of Access 2000's workgroup file. Why isn't this person able to convert the database?

  7. #7
    2 Star Lounger
    Join Date
    Dec 2000
    Posts
    188
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    WendellB is correct, one should change the owner of a database and not leave Admin as the owner, for better security. For even better security, SQL Server is the way to go. But if you stick with a desktop database application, then by all means make sure you change the owner of the database, or create it with an account other than Admin to begin with.

    FWIW

  8. #8
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Access 2000 Security Loophole? (2000)

    Open your copy and see who the owner of the objects is.
    Charlotte

  9. #9
    Lounger
    Join Date
    Aug 2001
    Location
    Lanham, Maryland
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    I am the owner/developer of the original, secured version and was logged in as such when I created the unsecured version. I did have another person, with Access97, successfully open the unsecured version while joined to the system.mdw workgroup.

  10. #10
    Lounger
    Join Date
    Aug 2001
    Location
    Lanham, Maryland
    Posts
    49
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Access 2000 Security Loophole? (2000)

    The owner is <Unknown>. I presume I need to change it to Admin. I did so and had another colleague with Access2000 open it. He received the expected prompt about converting to Access 2000. Thank you for your assistance.

  11. #11
    Super Moderator
    Join Date
    Aug 2001
    Location
    Evergreen, CO, USA
    Posts
    6,623
    Thanks
    3
    Thanked 60 Times in 60 Posts

    Re: Access 2000 Security Loophole? (2000)

    Sorry for the delay in responding to your question - I've been moving my office, and Internet access has been very sporadic. In any event it sounds as if others have given you the correct response. In summary, if you are not the owner of the database, the conversion routines complain and won't let you proceed.
    Wendell

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •