UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Locking Up An App, Access 2016    
 
   
lancemcgonigal
post Feb 2 2018, 11:11 PM
Post#1



Posts: 9
Joined: 1-February 18



I'm trying to make an access app as secure as possible. I've done a few things to lock it down including the following:

1. password protect the back-end. keeps folks out of the data source.
2. compile the front-end. protects the source code and design of the system.
3. created a group based security system to give levels of access to forms...Restrict, Read-only, and Edit. Determines what rights user have to data from the screen.
4. disabled the by-pass shift feature with code. can't get under that app on startup.
5. custom ribbon. removed backstage options, design group, database tools, create tab. keeps new queries from being created.
6. removed shortcut menus. keeps the queries from being put in design mode.
7. only open queries from a menu in read-only mode.

Have I missed anything? I've tried to get "under" the app every way I know how and am block. Is there another window to break-in?

Thanks!
Go to the top of the page
 
theDBguy
post Feb 3 2018, 12:06 AM
Post#2


Access Wiki and Forums Moderator
Posts: 72,423
Joined: 19-June 07
From: SunnySandyEggo


Hi,

Welcome to UtterAccess!
welcome2UA.gif

Access is not a very secure platform. What are you trying to protect and from whom?

You couldn’t hack your way into the app because you have blocked every entry you know of. However, someone with more knowledge than you might not have any problem gaining access to it. For example, did you know the password for the BE is stored in plain text in the FE. Someone who knows how to get this password through the FE can easily steal your data.

Just my 2 cents...

--------------------
Just my 2 cents... "And if I claim to be a wise man, it surely means that I don't know" - Kansas
Microsoft Access MVP | Access Website | Access Blog | Email
Go to the top of the page
 
lancemcgonigal
post Feb 3 2018, 12:51 AM
Post#3



Posts: 9
Joined: 1-February 18



Thanks...Yes...I guess what I'm asking is have I missed any other ways in. Do you know of a way I missed?

Go to the top of the page
 
JonSmith
post Feb 3 2018, 05:27 AM
Post#4



Posts: 3,412
Joined: 19-October 10



If you save your file extension as .accdr it will run the database in 'runtime mode' which blocks a bunch of content. I think its the easiest and most effective way to block alot of functionality, you'll get the same 'no shift bypass' effect for example without messing around as much.

As theDBGuy says alot of us could still easily get in. I can remove the bypass key with no issue on your database. I can also easily get into your data and mess with your security settings which I imagine are saved in a table in the BE right?

To get into your password protected BE I can simply create a new blank database and then use the linked table manager on your FE. The linked tables will show up and I can import them into my new database. Not only can I now easily view and edit all the data in the tables but I can view the connection string of the table with the password in it.


I work to the rule of I expect my users to act professionally, I tell the people I work with that I expect some people to be idiots so I lock done enough to make sure they cannot break it, but I do not expect anyone to be (UA will censor me here so no point typing it tongue.gif ) and to try to break in and mess with stuff.
Go to the top of the page
 
lancemcgonigal
post Feb 3 2018, 07:06 AM
Post#5



Posts: 9
Joined: 1-February 18



Jon...Thanks. You are spot on. The approach I'll take with my client is to "shrink the window" of opportunity for hacking. I appreciate you sharing the techniques.
Go to the top of the page
 
GroverParkGeorge
post Feb 3 2018, 08:25 AM
Post#6


UA Admin
Posts: 32,810
Joined: 20-June 02
From: Newcastle, WA


I don't have specific security advice to add per se.

However I do have a couple of observations based on more than 20 years of working with Access, and more than 40 years of working with other people.

Access is never going to be totally secure, although you can minimize the risk, as has been discussed. So, if you have data that you can't afford to share with competitors or with identity thieves, migrate to a more secure data store such as SQL Server or Oracle, etc.

If you are worried about the intellectual property in your Access code, perhaps you're justified, but perhaps not. Again, the test is whether you are trying to sell an application that could be pirated by someone else to sell as their own. If so, again, you can make Access reasonably secure, but there might be more appropriate tools to create a more secure interface.

And finally, if you are worried about your colleagues deliberately, or even accidentally, destroying your work, sabotaging each other's Access accdbs, stealing your company data to sell to a competitor, snooping in data they shouldn't (payroll information, for example) then I would say you have a people problem, not a database problem. And that calls for other measures.

One of the most interesting lectures I ever attended on this topic was delivered by a director at a company where I worked. She told us that she firmly believed her staff were basically the best she could hire, or she wouldn't have hired them. She said she thought most of them came to work every day trying to think of ways to do a good job, impress their managers, and get rewarded accordingly. No one, or very few people, came to work trying to think up new ways to cause trouble.

I think she was right.

--------------------
Go to the top of the page
 
lancemcgonigal
post Feb 3 2018, 12:11 PM
Post#7



Posts: 9
Joined: 1-February 18



Grover...Excellent input...Thank you.

I have discussed the security aspects of SQL Server vs Access BE. They don't have the budget for administration and certainly not the skills. This approach seems to "strike" a balance. I appreciate your input.

Sometimes the struggle is knowing when it's "good enough". I would like it to be better but I'm not paying for it.

Thanks again.
Go to the top of the page
 
GroverParkGeorge
post Feb 3 2018, 12:18 PM
Post#8


UA Admin
Posts: 32,810
Joined: 20-June 02
From: Newcastle, WA


As long as you've discussed it and obtained their commitment NOT to invest in the resources, you should be good. That brings up another thought, which has been brought home to me more than once over the years. A Backup Protocol. It's important to establish, implement, maintain and test one.

Luke Chung, founder and CEO at FMS, likes to say that he presents potential clients with an option to either have his company set up a Backup system or to sign an agreement accepting full financial responsibility and liability for any consequences arising out of NOT setting one up for their company. As of the last time I talked to him, nobody had yet signed that refusal.

We're all happy to help.


George

...
This post has been edited by GroverParkGeorge: Feb 3 2018, 12:19 PM

--------------------
Go to the top of the page
 
lancemcgonigal
post Feb 3 2018, 03:00 PM
Post#9



Posts: 9
Joined: 1-February 18



You sir are spot on...I tell all my clients that if you don't do a recovery exercise periodically then you have hope as a strategy.

I too am a fan of Luke's work. Regarding the security aspects of Access I revert back to my military background. The apps are "hardened". Nothing is secure but we can take precautions that put the outcome of intrusions in our favor. Thanks for your insight. Very good.
Go to the top of the page
 


Custom Search
RSSSearch   Top   Lo-Fi    21st June 2018 - 05:11 AM