UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Password/encrpt Front End So That It Doesn't Always Prompt For The Password, Any Version    
 
   
elgrigo
post Nov 9 2017, 10:29 AM
Post#1



Posts: 9
Joined: 9-September 17



Hi,

I know this is an old thread but I would like your opinion on this. I realize that Access is not the most secure database around but I have devised a way to make it a little bit more secure.

First I take an accdb file and split it into FE and BE. Then I password encrypt the BE, delete all tables from the FE and relink them to the BE by providing password. Then I compile the FE into accde and password encrypt it.

In order to open the FE so that the user does not use and does not know the password I use another starting database. This database opens the FE by passing over the password in case of a full version of Access. In case of a runtime version of Access where the NewObject and CreateObject methods cannot be used I use a fourth empty dummy db. The starting db opens the dummy db first and then opens the FE using the OpenObject method and passing the password (for this to work you have to have the location of your db into the trusted locations of your Access system). This way the user does not have to know the FE password and the FE is password protected. The passwords I use are of the maximum allowed length (20) and random characters since no one has to remember them.

Then I compile the starting db into accde, I throw in some useless code and a few more dummy passwords and procedure names in order to confuse those who will try to re-engineer the starting db. I hide some tables from the FE (not too many for the user to get suspicious) and I disable all relevant keys (shift, special keys etc) in FE as well as hide the ribbon and use my own. Do you think I am in the right direction? I would appreciate any suggestions. All the best.

Vlassis
Go to the top of the page
 
theDBguy
post Nov 9 2017, 10:40 AM
Post#2


Access Wiki and Forums Moderator
Posts: 71,232
Joined: 19-June 07
From: SunnySandyEggo


Hi,

Just one person's humble opinion... I think you're on the right track and have made a good start. However, as you already admitted, Access in not really a secure platform. I'm afraid all your hard work really means nothing if someone is determined to get into your database. Everything you have done can be reversed engineered, no matter if you only hid some or even all your tables. If someone wants to snoop inside, because they wanted to, and they know all the tricks, then there is nothing you can really do, in Access, to stop them. Even the encryption password is not really safe from hackers.

Just my 2 cents...

--------------------
Just my 2 cents... "And if I claim to be a wise man, it surely means that I don't know" - Kansas
Microsoft Access MVP | Access Website | Access Blog | Email
Go to the top of the page
 
DanielPineault
post Nov 9 2017, 11:34 AM
Post#3


UtterAccess VIP
Posts: 5,452
Joined: 30-June 11



I'll ask the question, why? I'm not saying what you are doing is wrong, just curious why you need this level of security.

What type of environment are you? In a corporate environment, this should not ever be required. What are you afraid of users getting access to? In a database, typically, the value is in the data, if that is the case then consider using SQL Server. With Access, the real issue is the fact that the file(s) can be copied and then hackers can take as long as they need to crack them open. Lock down the folder holding the BE by using a Traverse permission and lock down who has access to the FE.

--------------------
Daniel Pineault (2010-2017 Microsoft MVP)
Professional Help: http://www.cardaconsultants.com
Free MS Access Code, Tips, Tricks and Samples: http://www.devhut.net

* Design should never say "Look at me". It should always say "Look at this". -- David Craib
* A user interface is like a joke, if you have to explain it, it's not that good! -- Martin LeBlanc


All code samples, demonstration databases, links,... are provided 'AS IS' and are to be used at your own risk! Take the necessary steps to check, validate ...
Go to the top of the page
 
GroverParkGeorge
post Nov 9 2017, 03:14 PM
Post#4


UA Admin
Posts: 31,237
Joined: 20-June 02
From: Newcastle, WA


I concur with the previous sentiments.

If you distribute your application externally, i.e. if you sell it to customers who can't be trusted to respect your intellectual property, this level of effort might seem justified.

If you are worried about co-workers stealing your ideas, code, etc., perhaps you have a different kind of problem, a personnel problem, not a database problem.

As has also been pointed out, securing the data is a different issue. Put it in a more secure environment if you are worried about co-workers misusing it. That is, SQL Server or another enterprise-grade database.

Nothing wrong with the exercise described per se. It's just that it seems like a large investment for a small potential gain.

--------------------
Go to the top of the page
 
bsterman
post Nov 23 2017, 02:27 AM
Post#5



Posts: 1
Joined: 22-November 17



Thanks for this idea. I have a problem that this may solve, namely the HUGE security hole related to linked tables. That is, you split your database into FE and BE and PW protect the BE. You can hide all the tables, but it is trivial to connect (for example via Excel) to the FE which has the BE tables linked to it. Using that connection you can alter any data in any table. Even MDE FEs. Your idea will close that hole.

Is there any other way to disable odbc connections to an access database from within the database? PW protecting the database is OK, but if someone has the PW then THEY can alter data.

Baruch
Go to the top of the page
 
theDBguy
post Nov 23 2017, 10:26 AM
Post#6


Access Wiki and Forums Moderator
Posts: 71,232
Joined: 19-June 07
From: SunnySandyEggo


Hi Baruch,

Welcome to UtterAccess!
welcome2UA.gif

To which idea were you referring?

--------------------
Just my 2 cents... "And if I claim to be a wise man, it surely means that I don't know" - Kansas
Microsoft Access MVP | Access Website | Access Blog | Email
Go to the top of the page
 
elgrigo
post Dec 2 2017, 06:19 PM
Post#7



Posts: 9
Joined: 9-September 17



Sorry it took me so long to reply. I agree with George in that it is my intention to distribute my application to others and I want to protect my intellectual property sort of. How they protect the data will be their concern (eg use a secure server etc).

Vlassis
Go to the top of the page
 
theDBguy
post Dec 2 2017, 06:35 PM
Post#8


Access Wiki and Forums Moderator
Posts: 71,232
Joined: 19-June 07
From: SunnySandyEggo


Hi Vlassis,

If I understand it correctly, to agree with George would mean you are distributing your application to external users. Is this correct? Are you selling your Access application as a commercial product?

--------------------
Just my 2 cents... "And if I claim to be a wise man, it surely means that I don't know" - Kansas
Microsoft Access MVP | Access Website | Access Blog | Email
Go to the top of the page
 


Custom Search
RSSSearch   Top   Lo-Fi    16th December 2017 - 01:30 PM