UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Challege User To Gain Access To Sensitive Information, Access 2010    
 
   
Psycoperl
post Mar 18 2015, 01:58 PM
Post#1



Posts: 437
Joined: 11-March 15
From: Somewhere lost in the NY Subways


I would like to know if there is a way to require a user to reenter/validate their Windows Username and Password credentials when they are trying to access sensitive information in a database.

Here is the situation that I envision.

A user logs in to windows and the system (they have a high level of access), they leave there desk and a co-worker with a lower level trys to view a part of the system that is restricted to high users.

I would like to challenge the user when they need to look at the higher level information in the system and make them re-enter their windows username and password to verify their identity.

Is this possible?


Best.
Go to the top of the page
 
theDBguy
post Mar 18 2015, 02:02 PM
Post#2


UA Moderator
Posts: 77,304
Joined: 19-June 07
From: SunnySandyEggo


Hi,

Welcome to UtterAccess!
welcome2UA.gif
I would think that is possible but not sure which way to go yet. I am thinking since you want to query the Operating System that you might try using an API call to do it. Just a thought...
Go to the top of the page
 
doctor9
post Mar 18 2015, 02:09 PM
Post#3


Remembered
Posts: 18,324
Joined: 29-March 05
From: Wisconsin


Psycoperl,

Welcome to UtterAccess!

Technically, this should be possible. You can use code to look at the username if the computer is logged into a network that uses them. But what you're talking about is asking for a password regardless of how the person is logged in. This could be done by doing things like adding a username/password requirement before opening a form/report that displays this higher level information. This sort of thing is pretty straightforward; you have a table with usernames, passwords and security levels, and a simple lookup can confirm that the user entered a valid password for what they're trying to do.

By the way, in my company, employees are required to lock their computers every time they walk away from them, even if only for a few minutes, to prevent this sort of security from being implemented. In Windows 7, this is done easily enough with the Windows Key-L combination. Higher-level users (like Human Resources managers) do not take fondly to entering their password repeatedly during the same sit-down session with their computers. You will want to weigh that against your desire to make things more secure.

Another thing you may need to take into account: if you are working with medical information in the United States, I don't think MS Access doesn't meet federal guidelines for security, based on previous discussions I've seen here. Search on the term HIPAA to see more information if you have concerns.

Hope this helps,

Dennis
Go to the top of the page
 
Psycoperl
post Mar 18 2015, 02:20 PM
Post#4



Posts: 437
Joined: 11-March 15
From: Somewhere lost in the NY Subways


Thank you both for the feedback... While I was hopeing to avoid the user remembering yet another password, I guess that is the only option.

On that front, is there a way to store the password in the table that is not in plain text?
Go to the top of the page
 
theDBguy
post Mar 18 2015, 02:37 PM
Post#5


UA Moderator
Posts: 77,304
Joined: 19-June 07
From: SunnySandyEggo


Re: "I guess that is the only option."

I would think that it is not your only option. As I said earlier, it should be possible to use API calls like this one to authenticate a user through the Windows Operating System.

Re: "...is there a way to store the password in the table that is not in plain text?"

What I would recommend in that situation is to avoid storing the password itself. Instead, run the user's password through a one-way hash and then store the hash value in the table. That way, a hacker cannot guess the password even if they see the hash value.

Hope that helps...
Go to the top of the page
 
Psycoperl
post Mar 18 2015, 03:09 PM
Post#6



Posts: 437
Joined: 11-March 15
From: Somewhere lost in the NY Subways


I understand the hash concept, how do I do it in Access/VBA?

Re the API, I will take a look at that link.

Thanks.
Go to the top of the page
 
theDBguy
post Mar 18 2015, 04:08 PM
Post#7


UA Moderator
Posts: 77,304
Joined: 19-June 07
From: SunnySandyEggo


We have a Wiki article on Hash.
Go to the top of the page
 
dmhzx
post Mar 18 2015, 04:18 PM
Post#8



Posts: 7,115
Joined: 22-December 10
From: England


My very personal view is that you're trying to bite off a huge chunk of unnecessary work.
Trying to code around an event that is extremely unlikely to happen, and the checks themselves are likely to irritate the very people you want to help.

But then again, I have no idea what your users are like.

I have a system on 95 PCs, where every user can if they really want run report of another project managers project. - r a host of other options.
And in four years, it's never been any sort of problem.

"Oh no, every time I want to do any work I have to enter my ID and password again" -- It's bad enough when the Microsoft default insists on that every time you want to tweak a shortcut.

But as I said. That's just me.
Go to the top of the page
 
doctor9
post Mar 18 2015, 04:34 PM
Post#9


Remembered
Posts: 18,324
Joined: 29-March 05
From: Wisconsin


To add on to what dmhzx, and reiterate what I said earlier, I'd say your simplest, best solution to this issue is to train your users to lock their computers when not using them. This is a good idea across the board, not just for database stuff. It protects their E-Mail, and any other stuff they have access to.

The act of locking the computer ensures that the next user to use the computer has to enter a username/password to verify who they are.

Dennis
Go to the top of the page
 
HiTechCoach
post Mar 19 2015, 12:31 AM
Post#10


UtterAccess VIP
Posts: 19,009
Joined: 29-September 03
From: Oklahoma City, Oklahoma


Psycoperl,

I also responded to your duplicate post on another site:

It is possible to authenticate again Active Directory.

Try this:

CODE
Function WindowsLogin(ByVal strUserName As String, ByVal strpassword As String, ByVal strDomain As String) As Boolean
    'Authenticates user and password entered with Active Directory.

    On Error GoTo IncorrectPassword

    Dim oADsObject, oADsNamespace As Object
    Dim strADsPath As String

    strADsPath = "WinNT://" & strDomain
    Set oADsObject = GetObject(strADsPath)
    Set oADsNamespace = GetObject("WinNT:")
    Set oADsObject = oADsNamespace.OpenDSObject(strADsPath, strDomain & "\" & strUserName, strpassword, 0)

    WindowsLogin = True    'ACCESS GRANTED

ExitSub:
    Exit Function

IncorrectPassword:
    WindowsLogin = False   'ACCESS DENIED
    Resume ExitSub
End Function
Go to the top of the page
 
AlanAnderson
post Mar 19 2015, 01:16 AM
Post#11



Posts: 1,313
Joined: 19-October 12
From: Blantyre, Malawi


Hi All,

The simplest solution of all is to get the users to use the Windows screen saver set to say, 10 minutes, of inactivity then requiring password to reactivate Windows.

Regards

Alan
Go to the top of the page
 
HiTechCoach
post Mar 19 2015, 04:46 PM
Post#12


UtterAccess VIP
Posts: 19,009
Joined: 29-September 03
From: Oklahoma City, Oklahoma


I have tried Alan's suggestion of using a screen saver before but 10 minute delay was to long. Someone cold get to eh PC in that time.

I also tried using a timer in Acess that when it was idle it would log them out of the Access Application. I even tried making it lock the workstation.


While all of these did worked but the delay would still allow a user enough time to get to the PC and do what you were trying to avoid.

You could have the user lock the PC before walking away (Windows key + L).

The best solution I have found is to make separate front ends. Put the higher-level access stuff in a separate front end. That way the user has to only log in once to it when the really need the info. The frotn end witht he more sensitive access also has a idle times of just a few minutes and it will log out.

In the end it really is up to the users to protect the data. Technology can only do so much.
Go to the top of the page
 
doctor9
post Mar 20 2015, 08:49 AM
Post#13


Remembered
Posts: 18,324
Joined: 29-March 05
From: Wisconsin


Personally, I think of my computer the way a bank teller would think of a pile of cash on their counter.

If you walk away, even for a minute, you put the cash in a drawer, and lock it. If the teller forgets to do this, and someone walks off with a bunch of cash, it's the teller's responsibility, not the person who built the drawer.

The employee needs to take personal responsibility for this sort of security, not the database developer. Windows has an easy-to-use setup to lock the PC.

Just my two cents.

Dennis
Go to the top of the page
 
dmhzx
post Mar 20 2015, 12:02 PM
Post#14



Posts: 7,115
Joined: 22-December 10
From: England


FWIW

100% agree Dennis.

thumbup.gif
Go to the top of the page
 
tina t
post Mar 20 2015, 01:34 PM
Post#15



Posts: 6,288
Joined: 11-November 10
From: SoCal, USA


i'll weigh in with others in the thread in saying that, ultimately, each user is responsible for his/her personal security. i have several applications running at work, that require each authorized user to enter a personal password to use the app. once logged in, each user sees only his/her own records, which are tagged with a user ID when created. and each time i authorize a new user, i give them the same short speech:

"you're responsible for your password and your records. if you give somebody your password, or walk away from the computer while you're logged into the application, then somebody else can add/edit/delete records and you will be responsible for that. don't come afterward and cry to me about it. period."

i've never had a single complaint, from a user or from management, about database security.

hth
tina
Go to the top of the page
 
gemmathehusky
post Mar 23 2015, 06:25 AM
Post#16


UtterAccess VIP
Posts: 4,751
Joined: 5-June 07
From: UK


seems a good idea

why not just ask the user to login again with his original credentials to do this.

this is similar to the way the UK government sites work. you log in to access the services, but when you actually want to do something, (eg file a tax return) many of the services request you to re-enter your original login credentials. It's a bit irritating, but I suppose it's better than having someone illegally accessing your data.


sorry - I see you are talking about windows login. I am talking about systems that have their own internal login system.
Go to the top of the page
 
FrankRuperto
post Dec 19 2019, 09:19 AM
Post#17



Posts: 520
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


QUOTE
Personally, I think of my computer the way a bank teller would think of a pile of cash on their counter. If you walk away, even for a minute, you put the cash in a drawer, and lock it. If the teller forgets to do this, and someone walks off with a bunch of cash, it's the teller's responsibility, not the person who built the drawer. The employee needs to take personal responsibility for this sort of security, not the database developer. Windows has an easy-to-use setup to lock the PC. Just my two cents. Dennis


Well said!.. Rest In Peace, Dennis hat_tip.gif

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
isladogs
post Dec 20 2019, 05:46 AM
Post#18


UtterAccess VIP
Posts: 2,088
Joined: 4-June 18
From: Somerset, UK


Just to add to this old thread resurrected by Frank...
My commercial databases used in schools require users to login as workstations are in classrooms as well as office areas.
This is to prevent unauthorised access by students etc.
For particularly sensitive data, I require users to enter a password which is only issued to users with appropriate permissions and is periodically updated.
Each type of sensitive data (child protection, exclusions etc) has a different password.
The passwords are stored securely using 128-bit encryption.

Code is also used to check the location of the workstation.
If its a public place such as a classroom, all access to sensitive data is blocked.

Although this approach means those users have to remember additional passwords, the number of such users is small and there have never been any security breaches in almost 20 years of use in multiple schools

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
FrankRuperto
post Dec 20 2019, 08:16 AM
Post#19



Posts: 520
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


Hi Colin,

QUOTE
Each type of sensitive data (child protection, exclusions etc) has a different password.


That is role-based security. Does your system track which users logged in at each workstation.
As Dennis pointed out, security is only as good as the users who enforce it.
I recently visited a USA government agency and noticed workers with card keys on a chain around their neck.
If workers leave their desks, they retrieve their card keys from the reader and their workstations lock up.
This post has been edited by FrankRuperto: Dec 20 2019, 08:34 AM

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
isladogs
post Dec 20 2019, 08:28 AM
Post#20


UtterAccess VIP
Posts: 2,088
Joined: 4-June 18
From: Somerset, UK


Hi Frank
Yes it does track who is logged on at each workstation together with the logon/logoff times.

Taking it one stage further, it also logs each feature that the users access - form name / control etc.
That is mainly related to the automatic error logging feature which 'silently' sends me an email (who/what/where/when) with details of any errors.
After implementing that (with clients' permission) back in 2016, I was able to eliminate all program bugs and am pleased to say I haven't received any error emails in well over a year
That feature is also useful for determining which features are used most frequently and those used rarely. So I can prioritise future developments.

Of course, it could also be used for surveillance of user activity. I can remember one occasion where it was necessary to remove permission rights from a member of staff related to this.

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 


Custom Search


RSSSearch   Top   Lo-Fi    20th January 2020 - 10:43 PM