Printable Version of Topic

Click here to view this topic in its original format

UtterAccess Forums _ Access Security _ Example Of The Widest Possible Protection

Posted by: mylton May 22 2019, 06:04 AM

Good Morning.

First of all, I apologize to everyone for my English.

it's not very good.

I am starting a project in access and after reading a lot I understand that it has some limitations in its protection.

from the shift key and others.

as I am a beginner in the art of programming I would like the help of the most experienced, in the sense if someone could provide an example of a file that was protected as broadly as possible.

in order to study and start my project.

Thanks and hugs to everyone.


Posted by: DanielPineault May 22 2019, 06:50 AM

You have the cart in front of the horse, as they say. If you want a starting point then review https://www.devhut.net/2016/09/01/securing-your-ms-access-database-front-end/ that said, I wouldn't be too concerned about security at this stage and concentrating on proper data normalization, table/relationship structures, ... securying and deploying comes later on. Personally, I'd start off with https://www.devhut.net/2017/04/09/setting-up-an-ms-access-database/ and https://www.devhut.net/2017/04/20/access-best-practices-and-troubleshooting-steps/

Posted by: mylton May 22 2019, 06:55 AM

thank you
Daniel.
I will read.
tomorrow, return
hugs.

Posted by: GroverParkGeorge May 22 2019, 07:17 AM

We have some http://www.UtterAccess.com/forum/index.php?showtopic=1998783. Much of what Daniel recommends is covered there.

Posted by: mylton May 22 2019, 09:00 AM

thank you Grover.
I'm going to study.
hugs.

Posted by: GroverParkGeorge May 22 2019, 09:25 AM

Just a point regarding protocols for the internet.

When my daughter texts me, she sometimes includes "hugs". Or I might text "hugs" to a brother or sister. However, I am not used to being sent "hugs" from people I've never met....

It's a concept that is probably lost a bit in translation....

George

Posted by: mylton May 22 2019, 10:05 AM

I understand.
here in Brazil we have the habit at the end, in thanksgiving, give "hugs".
as I said at the beginning my English is not very good.
Anyway, I apologize if there was any discomfort or anything like that.
I thank the help of all you.
Thank you.

Posted by: GroverParkGeorge May 22 2019, 10:10 AM

Not discomfort, but I thought you'd like to know.

I do say "abrazos" to my Venezuelan in-laws....

Posted by: gemmathehusky May 22 2019, 04:42 PM

but I think he speaks Portuguese, not Spanish, in Brazil

obrigado is the only Portuguese word I know.


Posted by: isladogs May 22 2019, 05:12 PM

I agree completely with the previous comments about getting the basics of your database sorted out first.
However when you are ready to implement security measures, have a look at this extended article and example database on my website http://www.mendipdatasystems.co.UK/improve-security/4594461803

Posted by: mylton May 22 2019, 06:54 PM

Good evening everyone.
Boys.
girls.
regardless of language, those that are part of this group, are ACCESS.
As said my English is not good!
but regardless of my country having an "A" or "B" language, I try to evolve in programming. But here, Brazil, there is little knowledge about you.
so if you can forgive different mistakes and customs among our countries, I am grateful.
once again....
my English is not good.
Thank you.

Posted by: GroverParkGeorge May 23 2019, 08:18 AM

Yup, that's true. However, from my limited exposure, there are similarities culturally. "Abrazos", which is Spanish for "hugs", is a very common attitude as well as gesture in both countries. I've not visited Brazil, only Venezuela, but that has brought me into contact with people from all over the South American continent.


Posted by: GroverParkGeorge May 23 2019, 08:21 AM

Please do not apologize. It was only intended to be a minor insight into one difference and I did not intend it to be negative in any way.

My nephew lived and worked in Ponta Grossa for three or four years, but I never had the chance to visit them. Jorge is originally from Venezuela, but works for a large US corporation. So, that's the extent of MY knowledge of Brazil.

Posted by: mylton May 23 2019, 03:54 PM


No problems.



about access ...
so read here....



When it comes to security, especially Database, Access gets harsh criticism and with good reason! This has even improved greatly in the versions of Access 2007 and 2010 with the use of encrypted password to open the application.

But what good is it to close the front door if we leave the back door open? That's what Microsoft has been doing: leave the back door wide open for anyone who understands a little Access, enter and get hold of the Database password, without ceremony!

The most used process of accessing the Database is through the mechanism of linking the tables. When we generate the links, the internal Access system kindly stores the database password in a system table, called MsysObjects, allowing easy access through the Navigation Panel and even external applications.

Private Sub Report_Open (Cancel As Integer)
Me.RecordSource = "Select * From tblClients in '' [; Database =" & CurrentProject.Path &
"\ Data.accdb; PWD = password]"; "
End Sub

Note that the password needs to be entered in the code. So I read it a lot to capture this password when the report is being displayed, even though the code is protected by the ACCDE extension.


From what I read I noticed that some programmers were able to assemble a code capable of managing the password of the links, without it being exposed in the MsysObjects table.
through an insertion of an Object (ListBox for example). Where it is hidden and is connected to the recordset of a table.

While the connection to the listBox is active, any linked table can be accessed, even if the incorrect password in the links is indicated.

With the connection to the established backend, bind the tables with a false password so that the true password is not displayed in the MsysObjects system table.

I have read all this here on the site, I have not found any examples of how to do this.
Would Algume have a tip or an example that might help?

Thank you

Posted by: isladogs May 23 2019, 04:37 PM

Have you looked at the link I gave in post #10? It includes detailed instructions and an example app you can use for testing.
You could also read my article http://www.mendipdatasystems.co.UK/encrypted-split-no-strings-db/4594566347.
This also includes an example app.

These two items cover almost all the issues involved and provide the answers I believe you are looking for.

Posted by: mylton May 24 2019, 10:01 AM

Good Morning.
I read yes.
I thought it was very good.
I'm trying to adapt.
however, as you yourself said, it uses as a basis the non-binding of tables, which in itself already after a significant increase in coding work.
As for the method of creating a fake password, as I mentioned in message number 10.
would it have any way? idea?
In relation to your topic where it says:
"that you can create deep hidden, that does not approach by security questions, what would be the way to learn?

Posted by: isladogs May 24 2019, 11:54 AM

Encrypting an entire database would be a lot of work. I've never done that myself.
However there are many other security measures in the first link I gave that I would definitely recommend doing. See the link originally given in post #10 http://www.mendipdatasystems.co.UK/improve-security/4594461803

'm not sure what you mean regarding fake passwords.
If you hide navigation pane, ribbon etc, create an encrypted ACCDE FE and encrypted ACCDB BE together with other security, end users should not be able to view connection strings or see the BE password.
As previously mentioned, if you are that concerned with security, then use SQL Server for your BE.

As 'deep hidden' tables can be used as a further security measure, I never explain how to do this in forums as doing so would make that security almost worthless.
If you are that interested, you can do as I did. Research and experiment to work out how to apply the deep hidden property and how to undo it again!
If you succeed, please do not publish your solution in forums either.

Posted by: mylton May 24 2019, 12:02 PM

It's ok.
I'll try
Thank you.

Posted by: mylton May 25 2019, 09:32 AM

Good Morning.
Isladogs.
following their precious tips, which tables
should be encrypted to prevent access to the password we see in the MSysobjetcs table?
would you use encryption on the whole table or just in the specific field?
or would it in VBA?
Thank you.

Posted by: isladogs May 25 2019, 09:46 AM

Any linked table from a password protected BE will have that password in its connection string. You can see that if you hover over the linked table in the navigation pane.
As you pointed out the password is also visible For those linked tables in the MSysObjects system table.

There is no point encrypting those linked tables to obscure the password as its not stored in the table itself.
You cannot encrypt system tables.

If you want to prevent users seeing the BE password(s) follow the steps in my article including hiding the navigation pane and hiding Access options so it can't be restored.
You can also try the no strings approach so there are no permanently linked tables . If you think its worth the effort.
If security is that important, use SQL Server or similar for your backend
BUT do remember whilst you can improve Access security and prevent the average user tampering with your data, a highly skilled hacker with sufficient time and determination can crack any Access database

Posted by: gemmathehusky Jun 21 2019, 12:41 PM

you mentioned "protected as broadly as possible.". I think what everyone is trying to show you is just how difficult that is.


In addition, it's worth looking at Wayne Phillips CodeProtector on everythingaccess.com. He demonstrates how a compiled .de database retains enough symbolic information to be effectively reverse-engineered back to the original code, irrespective of whatever protection you use. fwiw, I always use his codeprotector on any database I distribute.

Posted by: WildBird Jun 23 2019, 10:18 PM

Oi Mylton, tudo bem?

Eu nao falo portugues, mas entendo pouco. Vc ingles eh muito bom!.

Will write English for others following this.

Security. I am working on 'secure' files at this project. I have to deal with text files and import and export these, so I need to encrypt these, for this I use WinZip or 7Zip, all automated from Access front end. The data is stored 'temporarily' in Access. Not one person here supports Access. All architects, technical managers etc all say Access is not up to standard, but I continue to use it as there are other issues with getting SQL Server here (political, not technical). I have encrypted the Access database, and is on a network that only has certain users able to access it, but as everyone else has pointed out, if you want it secured, dont store data in Access.

Saude