Hi,

I'm just wondering why I should bother securing my MS Access Database, I
mean you can download tools which will remove all the security?

I'm looking for answer to give to my boss.

Thanks,

Because the majority of your customers just have a job to do, they don't have
time or incentive to break your program.

Because the majority of your customers don't know Access, in spite of how easy
it is to break.

Because, sooner or later they'll call up for some advice or other, and you'll
have a list of valid customers.

On a purely technical level, you are right.

(my concern is more ripping-off the program than protecting the data, which is
even harder)(if harder than easy is hard)
Chris

Show quoteHide quote

and mainly because...it's about all you can do, assuming the use of Access.

JZ wrote:
I can buy a lock pick, but I still lock the doors to my house.  A barrier that
is imperfect is still a barrier.  It depends on what your expctations of the
barrier are to determine whether it is worthwhile to have.

OK, thanks for these comments.

What about reasons why we would secure a MDB that would be distributed.
Mainly to clients, but could be for public access.

We are commited to MS Access due to the time spent on development and
in-house knowledge.

JZ wrote:
Personally I wouldn't bother securing a distributed app in most cases.  I would
distribute a split app with the front end being an MDE so the code couldn't be
tampered with, but the back end would not be anything special.  At the most I
would give it a different file extension so that it wasn't obviously an Access
file.

The answer is a question - do you need a padlock or a bank vault?  If the
latter then Access is no good, you need to upsize to a service such as
Oracle.

Keith.
www.keithwilby.com

Hi,

Again, thanks for the further comments.

What would you guys suggest for program developers who are distributing
their program and an MDB.  Any extra steps which would add to the security?

e.g. Rename MDB.

Obviously using Oracle isn't practical for small distribution.

Any further comments greatly appreciated.

Thanks,

First you asked why bother securing, since you can hack it, but now you are
looking for anything you can do to add barriers.

Renaming the file is much easier to get around than hacking the security,
but if you want more...

Implement security
Create custom menus/toolbars for use throughout your application.
Create a startup form (a main menu form if you have one) that is opened on
startup.
Use the features in Tools, Startup to limit menus, db window, special keys,
etc.
Disable the shiftkey bypass
http://www.mvps.org/access/modules/mdl0011.htm
and
http://www.mvps.org/access/general/gen0040.htm

You can also create a MDE from your database, which will prevent changes to
forms, reports and modules.
Rename the mdb
Put it in a hidden folder

Show quoteHide quote

There's a number of add-in security products like www.sagekey.com

I'm not in a position to say how good they are. But something along these
lines is essential on top of Access security, that is, at least some level of
copy protection.

Chris

Hi everyone,

I also can't verify that any of these products truly are secure but I can
verify that all of my encounters with Access databases have been met with
very few walls or challenges.

Unfortunately to my knowledge there really isn't any way you can 'truly'
secure your data from third party access.

Michael


On 19/8/06 3:29 AM, in article e311twuwGHA.2***@TK2MSFTNGP03.phx.gbl, "Chris
Mills" <phad_nospam@cleardotnet.nz> wrote:

Show quoteHide quote

The strangest thing is...there seem a heck of a lot of
people..."programmers"...who dont seem to have a handle on Access ULS, hence
the majority of questions in this newsgroup! Of course, this is hardly a
statistic, since those who do have a handle don't post questions!

I did try data encryption at one stage (NOT the inbuilt Encrypt/Decrypt),
together with hopefully suppression of virtually all copy/paste out of forms
(prevent legitimate users), though never actually implemented it. I'd just say
that, since a straight mdb has $0 of security, these things at least had $0.02
or more!

And a good puzzle, even for the writer of it, might be to take out the "keys"
at the top of each column (the nice English field names replaced with guano).
I haven't actually done this coz then it would be too difficult for ME to
maintain.

....back to sleep... :-)
Chris

Sorry, couldn't sleep...the bogeys got to me!

What's this?

Expr001   Expr002                                                  Expr003
¾½ºÏÇÏ     ¾š‘š‹—†ß×­ŒŒÖß³žˆß°™™–œš     ¯°ß½‡ßÊÍÇÌ
¾½­ÏÍÏ        ²ž–‘ß­ß¾ž’Œ                                 ¯°ß½‡ßÍÊÏÈË


That's right. All converted to "unprintable characters" as well, so it
probably hasn't even transcribed correctly.

(UNDOUBTEDLY breakable, but who has the nouse, and who of those has the time
or energy?)

As best I can tell (this is from a while ago) it means:

ABE090, A(censored) Law Office, PO Box(censored)
ABR020, Marion (censored) Someone, PO Box(censored)

My greatest difficulty, was NOT recovering this previous encryption of mine,
but having to plug-in a Windows 3.1 disk and try and remember how to use it!!!

I think it's a bit rich of people like Rick Brandt (undoubtedly a technical
expert) and Joan Wild (another one) to purport to give advice on distributing
Access applications. Because, NEITHER of them use it that way!

(Joan is particularly on record as stating she DOES NOT USE Access Security
for such purposes. Also, you can see that her advice is limited only to the
machinations of actual Access Security, which is fine because she has said she
does NOT use Access security in practise. If either of them had, they would be
very aware of advice on add-in products)

Even suggestions to use SQLServer can be a bit suspect.
a) it may not be as suitable or as easy for general remote distribution as
Access.
b) depending on how it's written, Access is inevitably a portal into SQLServer
which might not therefore, as a unit, be secure. (David) had some usefull
interpretations of this within the last year in this newsgroup.

The overall point is that, yes things can be broken by "security experts".
Who's a security expert? and how much incentive do they have? In this
newsgroup, most questions are answered by "security experts". OF COURSE THEY
CAN BREAK IT but can your average customer?

Also,  (program copying) is a matter of statistics. A business decision
really. MS has some great schemes (CD-KEY). It does not prevent copying (so I
hear), but it sure goes a long way to upping the business statistics. That's
why I said, in my first post, you need at the least a list of valid customers
(checking methods which are completely outside of Access)

It's never black-and-white. In some respects, it's unfair to rely solely on
MS-Access (or SQLServer or Oracle for that matter, for reasons stated)

The purpose of this newsgroup, I believe, is to advise on what can be done to
secure something, given the tools available. Certainly not how to break it,
though of course they are interrelated.
In Other Words: I don't b.know! All my suggestions are more-or-less equally
questions.
Chris

PS NO Reflections on Rick or Joan! Who are doing their best with an insecure
product. Merely used as illustrations...securing stuff is a right struggle
that's for sure.

Hi,



Again thanks so much for these comments.



To lay my card on the table and be completely truthful.



I'm actually the developer of an MS Access Security tool.

It's been around a few years, I've done small tweaks over the years.

But I was surprised to get a few sales recently.



I was thinking about improving the program and adding new functionality.



However a month or two ago someone emailed me to say, "Why bother securing?"
etc.

I didn't really have an answer for him, hence he didn't buy it.



I made this posting to get some other points of view.



There's lots I can do with both my website and the program.

Presently the website is aimed at the developer, I'm told it should be aimed
at the manager.



I think I'm right in saying that the new vista MS Access will blow security
out of the water as we know it and therefore my program will become
obsolete.



But I think the Our versions of MS Access will still be used for a couple
more years at least.



So what do you think, should I put effort into my program?

I wouldn't know how much market there is. I wrote my own, as do many people
based on posts for HD serial numbers and such-like, anyway distributed
software usually needs something along these lines.

You can lookup google for software protection and get some idea of various
products. Some of them seem quite expensive, which is good for you of course!

Chris

Hi Chris,

Thanks for your reply.
But it doesn't seem to have anything to  do with the message I posted?

Thanks,

Your question was, should you put in the effort? Presumably to sell it? Some
sort of add-in security product?

Presumably as a business proposition. The sole criteria would be, what market
is there?

To be sure, how would we know if it's worth putting in the effort, when the
only info is "security tool".

If it's just an analysing tool, there's at least one free one.

Cheers
Chris

Show quoteHide quote

Hi,

Thanks for your comments.

Yes to sell more.
Improve what the program does, provide more flexibility and improve the
website.

Well I guess there is a market as it does sell a bit.
My main problem is marketing the program, as it doesn't provide 100%
security.

No it adds the sort of security you could add in MS Access, but without the
user having to know how or why. Thus saving them time and effort.

I guess I have answered some of my own questions.

My main worry was that security can be overiden easily.
I was chatting to a friend and he suggested that I say something like 90%
secure on my website.

Thanks,

Jules.

Don't do that.

You can't give a percent. Access is 100% secure to my grandmother, and 0%
secure to some in this newsgroup.

Chris

Your probably right.

However, you can see my dilema.

I can't really say its a security tool.
As that implies it provides security, I guess it does a bit....

Difficult.....

Any suggestions?

Thanks,

JZ wrote:
At most I would call it a "User Configuration" utility and indicate that it
allows the app to "behave differently" based on the user currently running
the file.  If you imply anything beyond that you open yourself up to
possible legal problems when a user expects it to provide protection that
isn't there.

OK..

Well this is my program...

http://tinyurl.com/yupl5

Any suggestions?

JZ wrote:
Okay, I didn't realize until you posted this that your utility was actually
implementing the ULS the comes with Access.  It sounded like just a simple
password checking thing.

I would say that as long as you are confident that your utility doesn't
produce a file that is secured worse than one where the standard ULS steps
were taken that all you might want to do is include a disclaimer indicating
that the built in security "built by Microsoft into Access" is not
completely unbreakable and that your software is only promising that same
protecton with less work.

I don't see anything controversial about that.
You don't HAVE to make claims about how secure or not ULS is!

Again, I wouldn't know what market there is.
Chris

Show quoteHide quote

Hi,

Thanks once more for your comments.

Well there does seem to be a small market as I do get some sales.

My plan for the software, is to provide different levels of security, aimed
at two different user groups. A program developer and an access developer.
Also what I call a database opener, which will save passwords. Also these
features on a context menu.

With the site, I had been advise to sell to business people saying "secure
your payroll database" etc and not mention the technicalities, but I can't
really do that. Unless maybe I add Rick's disclaimer idea perhaps... hmm...

Anything further?

Thanks guys.

Security has been dropped from the next version of Access; that may impact
your decision.

Show quoteHide quote

Yeah, I'm aware of that.
I mentioned at the start of this thread.

The way  I look at it, MS Access will still be in use for at least a couple
of years after vista.
Theres plenty of people just upgrading to XP now.
Besides people do buy my program, so there is a market.
I figure I can get my changes done quite quickly.

Thanks Joan.

There are lots of Access 97 and even Access 2 solutions still going strong
out there. I read in a magazine article recently that there are an estimated
70 million users of Windows 98 world-wide. So your utility would probably
continue to be of use to some people for quite some time to come.

Of course, people who are still running Access 2 or Access 97 on Windows 98
are probably, for the most part, people who don't spend a lot of money on
computer software. So this may not be a very profitable market niche to
pursue! :-/

Show quoteHide quote

Why are all access database I open asking for log on?
Security-Is there a better way?
Help with an IF statement for the groups
Need help with security
Security permissions to convert the database
Load Form Based on Current User's Group
Need help securing an application with detail records
Wizard Issues
PASSWORD PROBLEM in .MDW FILE
Network security