|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
After migrating .mdb to v.2007 & rename mdw file, v.2007 lets me iACCESS 2007. After successfully migrating them all, I stubbled by accident on a security glitch. All these apps uses User Level Security (ULS), and for each database a seperate .mdw file is used as well. We use the FE & BE approach as well, were the BE & .mdw file are located on a network server. A shortcut file is used for all of them as well, defining the location of database as well the mdw file to use against it. Here's the problem. If I try accessing the database directly, on a development server, I get in on 4 of them, no questions asked. Using the "SysCmd(acSysCmdGetWorkgroupFile)" within the VB Editor, I find it surprising that it now uses the default system.mdw file. But the same database in version 2002(Prodution), it will not let me in. Furthermore, if I rename the system.mdw file and try to access the database directly, it recreates the default mdw file. I have to use the "RunCommand acCmdWorkgroupAdminstrator" in the VB Editor in order to join to the appropriate mdw file. My concern is that someone can simply rename the mdw file located on the network, and then they have full access to the database. Our only option is to change the attribute of the mdw file to hidden. Is this a bug or is their a patch out there that I can use to fix this problem? We have downloaded the SP1 patch as well. If using a different MDW file lets you into the database, then security
wasn't applied correctly in the first place. I can't offer any explanation why you don't have the same issue using Access 2002. -- Show quoteHide quoteDoug Steele, Microsoft Access MVP http://I.Am/DougSteele (no private e-mails, please) "Pierre Doré" <pierre_d***@discussion.microsoft.com> wrote in message news:9BC007B6-C27C-47B9-9611-A36A3E7C99E5@microsoft.com... >I am responsible for migrating a dozen MS ACCESS 2002 applications to MS > ACCESS 2007. After successfully migrating them all, I stubbled by > accident > on a security glitch. All these apps uses User Level Security (ULS), and > for > each database a seperate .mdw file is used as well. We use the FE & BE > approach as well, were the BE & .mdw file are located on a network server. > A > shortcut file is used for all of them as well, defining the location of > database as well the mdw file to use against it. Here's the problem. If > I > try accessing the database directly, on a development server, I get in on > 4 > of them, no questions asked. Using the "SysCmd(acSysCmdGetWorkgroupFile)" > within the VB Editor, I find it surprising that it now uses the default > system.mdw file. But the same database in version 2002(Prodution), it > will > not let me in. Furthermore, if I rename the system.mdw file and try to > access the database directly, it recreates the default mdw file. I have > to > use the "RunCommand acCmdWorkgroupAdminstrator" in the VB Editor in order > to > join to the appropriate mdw file. My concern is that someone can simply > rename the mdw file located on the network, and then they have full access > to > the database. Our only option is to change the attribute of the mdw file > to > hidden. Is this a bug or is their a patch out there that I can use to fix > this problem? We have downloaded the SP1 patch as well. When you migrated from 2002 to 2007, did you sign in as a member of the
admins group and convert the 2002 mdb to a 2007 accdb? If you did that, *you* removed user level security. Accdb files use the the ACE db engine, which doesn't recognize Jet 4 security. Keep the db in an mdb format and Jet 4 security remains when opening it in 2007 - if it was secure when in 2002 format. Chris Pierre Doré wrote: >Is this a bug or is their a patch out there that I can use to fix >this problem? We have downloaded the SP1 patch as well. -- Message posted via AccessMonster.com http://www.accessmonster.com/Uwe/Forums.aspx/access-security/200905/1 
Other interesting topics
|
|||||||||||||||||||||||
