|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ULS Flaw?If I create an Access database on one PC, and then secure it by using the
Security Wizard on a second PC, I find that it is secured on the second PC, but completely unsecured when I open it on the first. Can anyone explain this behaviour? Both PCs are running Windows XP and both are runnign the same copy of MS Access 2002 Authored by: Milewskp "Milewskp" <-A0F5-40A6-AEF7-69664D167***@microsoft.com...
> If I create an Access database on one PC, and then secure it by using the ÎÞ·¨ÕÒµ½Ö÷»ú¡°SMTP¡±¡£Çë¼ì²éÊäÈëµÄ·þÎñÆ÷ÃûÊÇ·ñÕýÈ·¡£ ÕÊ»§: 'POP3', ·þÎñÆ÷:'SMTP', ÐÒé: SMTP, ¶Ë¿Ú: 25, °²È«(SSL): ·ñ, Ì×½Ó×Ö´íÎó: 11001, ´íÎóºÅ: 0x800CCC0D Show quote > Security Wizard on a second PC, I find that it is secured on the second PC, > but completely unsecured when I open it on the first. > > Can anyone explain this behaviour? > > Both PCs are running Windows XP and both are runnign the same copy of MS > Access 2002 > > Authored by: Milewskp > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message That is the expected behavior when a file is secured incorrectly. In some news:B3DF35F7-A0F5-40A6-AEF7-69664D167E42@microsoft.com... > If I create an Access database on one PC, and then secure it by using the > Security Wizard on a second PC, I find that it is secured on the second PC, > but completely unsecured when I open it on the first. > > Can anyone explain this behaviour? versions the wizard does NOT produce a properly secured file. Chances are Admin is still the owner of the database meaning that anyone will be able to open it. -- Rick Brandt, Microsoft Access MVP Email (as appropriate) to... RBrandt at Hunter dot com Thanks Rick.
Can you explain what it is about the permissions set by the Wizard that appears to make the database secure on one PC but not the other? Can you point me to a reference that lists bugs related to ULS Security in general, and the Security Wizard in particular? Show quote "Rick Brandt" wrote: > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message > news:B3DF35F7-A0F5-40A6-AEF7-69664D167E42@microsoft.com... > > If I create an Access database on one PC, and then secure it by using the > > Security Wizard on a second PC, I find that it is secured on the second PC, > > but completely unsecured when I open it on the first. > > > > Can anyone explain this behaviour? > > That is the expected behavior when a file is secured incorrectly. In some > versions the wizard does NOT produce a properly secured file. Chances are Admin > is still the owner of the database meaning that anyone will be able to open it. > > -- > Rick Brandt, Microsoft Access MVP > Email (as appropriate) to... > RBrandt at Hunter dot com > > > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message You are assuming it is secure on the original PC because you are prompted to log news:2B330FE7-6738-47E6-BFDD-9B6D3E013F3D@microsoft.com... > Thanks Rick. > Can you explain what it is about the permissions set by the Wizard that > appears to make the database secure on one PC but not the other? > > Can you point me to a reference that lists bugs related to ULS Security in > general, and the Security Wizard in particular? in. That is a completely separate issue from whether a file is secured or not. The truth is that the file is totally un-secured because the Admin user as a member of the Users group is able to open it on the other PC. Neither Admin nor the group Users should have any permissions or ownership in a properly secured file. As stated before, a common mis-step is to leave Admin as the owner of the database. Owners have rights above and beyond their *permissions*. -- Rick Brandt, Microsoft Access MVP Email (as appropriate) to... RBrandt at Hunter dot com Hi Rick,
I can open the database on the PC that it was created on just by double clicking the file icon. When I try this on the PC that the database was secured on, Access will not let me open the file. (To secure the database I followed steps 16-32 on Joan Wild’s Step by Step instructions at http://www.jmwild.com/security02.htm.) Can you explain what it is about the permissions set by the Wizard that appears to make the database secure on one PC but not the other? Can you point me to a reference that lists bugs related to ULS Security in general, and the Security Wizard in particular? Show quote "Rick Brandt" wrote: > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message > news:2B330FE7-6738-47E6-BFDD-9B6D3E013F3D@microsoft.com... > > Thanks Rick. > > Can you explain what it is about the permissions set by the Wizard that > > appears to make the database secure on one PC but not the other? > > > > Can you point me to a reference that lists bugs related to ULS Security in > > general, and the Security Wizard in particular? > > You are assuming it is secure on the original PC because you are prompted to log > in. That is a completely separate issue from whether a file is secured or not. > > The truth is that the file is totally un-secured because the Admin user as a > member of the Users group is able to open it on the other PC. Neither Admin nor > the group Users should have any permissions or ownership in a properly secured > file. > > As stated before, a common mis-step is to leave Admin as the owner of the > database. Owners have rights above and beyond their *permissions*. > > -- > Rick Brandt, Microsoft Access MVP > Email (as appropriate) to... > RBrandt at Hunter dot com > > > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:E8426AD6-70B8-4A76-8F59-503EBCD5B9F3@microsoft.com... It sounds as though these are different files. The permissions are stored in the mdb file. Securing one copy of the file, doesn't magically secure all copies of it.> Hi Rick, > I can open the database on the PC that it was created on just by double > clicking the file icon. When I try this on the PC that the database was > secured on, Access will not let me open the file. You need to copy the secure mdb to the other computer as well. -- Joan Wild Microsoft Access MVP
Show quote
"Joan Wild" wrote: I can assure you , it is the same file: I create the mdb file on one of my > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:E8426AD6-70B8-4A76-8F59-503EBCD5B9F3@microsoft.com... > > Hi Rick, > > I can open the database on the PC that it was created on just by double > > clicking the file icon. When I try this on the PC that the database was > > secured on, Access will not let me open the file. > > It sounds as though these are different files. The permissions are stored in the mdb file. Securing one copy of the file, doesn't magically secure all copies of it. > > You need to copy the secure mdb to the other computer as well. > > -- > Joan Wild > Microsoft Access MVP > Hi Joan, PCs (call it PC1), load it on my other PC (PC2) and secure it using steps 16-32 of your Step by Step instructions at http://www.jmwild.com/security02.htm. After being secured, I can no longer open it on PC2 simply by double-clicking (as expected), but I can on PC1. Note that when I open it on PC1, the owner of the database and all objects is shown as <unknown>. BTW, the information you’ve posted on the internet has been very helpful to me. Thanks. "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:3C877A57-98B1-49CD-B397-01DCFF0411CC@microsoft.com... Sorry, but I am not clear here. How are you opening it on PC1? It still sounds as though you are opening the original file that was on PC1. Are you copying back the secure file to PC1? Are you opening it over the network?>> > Hi Joan, > I can assure you , it is the same file: I create the mdb file on one of my > PCs (call it PC1), load it on my other PC (PC2) and secure it using steps > 16-32 of your Step by Step instructions at > http://www.jmwild.com/security02.htm. After being secured, I can no longer > open it on PC2 simply by double-clicking (as expected), but I can on PC1. > Note that when I open it on PC1, the owner of the database and all objects is > shown as <unknown>. -- Joan Wild Microsoft Access MVP "Joan Wild" wrote: Hi Joan,> Sorry, but I am not clear here. How are you opening it on PC1? It still sounds as though you are opening the original file that was on PC1. Are you copying back the secure file to PC1? Are you opening it over the network? I create the file on PC1, and call it CreatedOnPC1.mdb I copy CreatedOnPC1.mdb to a memory stick I copy CreatedOnPC1.mdb from the memory stick to PC2’s desktop I secure the copy of CreatedOnPC1.mdb on PC2’s desktop using the Security Wizard as explained earlier. I rename the secured mdb file on PC2’s desktop as CreatedOnPC1.SecuredOnPC2.mdb, and copy it to the memory stick. I copy CreatedOnPC1.SecuredOnPC2.mdb from the memory stick to PC1’s desktop. I double click on CreatedOnPC1.SecuredOnPC2.mdb on PC1’s desktop, and it opens. Note: I am running the same copy of Access 2002 under Windows XP on both PC1 and PC2. This problem doesn’t occur on other pairs on PCs that I’ve tried which are running Access 2003. OK, then you missed a step in securing the database. When you do it right, you won't be able to open the mdb unless you use the correct secure mdw file. It's important to follow *every* step, missing nothing, and in the correct order.
-- Show quoteJoan Wild Microsoft Access MVP "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:60748FDB-BDF9-477C-BA59-CE6095EDB9BB@microsoft.com... > > > "Joan Wild" wrote: >> Sorry, but I am not clear here. How are you opening it on PC1? It still sounds as though you are opening the original file that was on PC1. Are you copying back the secure file to PC1? Are you opening it over the network? > > Hi Joan, > I create the file on PC1, and call it CreatedOnPC1.mdb > I copy CreatedOnPC1.mdb to a memory stick > I copy CreatedOnPC1.mdb from the memory stick to PC2’s desktop > I secure the copy of CreatedOnPC1.mdb on PC2’s desktop using the Security > Wizard as explained earlier. > I rename the secured mdb file on PC2’s desktop as > CreatedOnPC1.SecuredOnPC2.mdb, and copy it to the memory stick. > I copy CreatedOnPC1.SecuredOnPC2.mdb from the memory stick to PC1’s desktop. > I double click on CreatedOnPC1.SecuredOnPC2.mdb on PC1’s desktop, and it > opens. > > Note: I am running the same copy of Access 2002 under Windows XP on both > PC1 and PC2. This problem doesn’t occur on other pairs on PCs that I’ve tried > which are running Access 2003. > > "Joan Wild" wrote: Here are the steps I followed to secure the database:> OK, then you missed a step in securing the database. When you do it right, you won't be able to open the mdb unless you use the correct secure mdw file. It's important to follow *every* step, missing nothing, and in the correct order. > > -- > Joan Wild - Open the database - Select Tools/ Security/ ULS Wizard - click Next 7 times and then click Finish - close the Security report winodw and click No (don't save) - click OK. Show quote > Microsoft Access MVP > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:60748FDB-BDF9-477C-BA59-CE6095EDB9BB@microsoft.com... > > > > > > "Joan Wild" wrote: > >> Sorry, but I am not clear here. How are you opening it on PC1? It still sounds as though you are opening the original file that was on PC1. Are you copying back the secure file to PC1? Are you opening it over the network? > > > > Hi Joan, > > I create the file on PC1, and call it CreatedOnPC1.mdb > > I copy CreatedOnPC1.mdb to a memory stick > > I copy CreatedOnPC1.mdb from the memory stick to PC2’s desktop > > I secure the copy of CreatedOnPC1.mdb on PC2’s desktop using the Security > > Wizard as explained earlier. > > I rename the secured mdb file on PC2’s desktop as > > CreatedOnPC1.SecuredOnPC2.mdb, and copy it to the memory stick. > > I copy CreatedOnPC1.SecuredOnPC2.mdb from the memory stick to PC1’s desktop. > > I double click on CreatedOnPC1.SecuredOnPC2.mdb on PC1’s desktop, and it > > opens. > > > > Note: I am running the same copy of Access 2002 under Windows XP on both > > PC1 and PC2. This problem doesn’t occur on other pairs on PCs that I’ve tried > > which are running Access 2003. > > > > > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:289B4A64-3A0B-43BC-B8D7-860431BA6485@microsoft.com... The security wizard in 2002 and 2003 works well in my experience. I followed the steps you outlined exactly (even though you didn't choose any built-in groups or add any users), and the resulting mdb is secured. It can only be opened using the secure.mdw workgroup that the wizard created.> > Here are the steps I followed to secure the database: > - Open the database > - Select Tools/ Security/ ULS Wizard > - click Next 7 times and then click Finish > - close the Security report winodw and click No (don't save) > - click OK. -- Joan Wild Microsoft Access MVP Hi Joan,
I've tried to duplicate this problem on other pairs of PCs, including: - my PC1, and PC3 (running Access 2003) - my PC2, and PC3 (running Access 2003) - PC3 and PC4 (both running Access 2003). but I have only been able to get the problem to occur when I create the mdb on my PC1 and secure it on my PC2, or create the mdb on my PC2 and secure it on my PC1. Both PC1 and PC2 run the same copy of Access 2002. Notes: - If I both create and secure the mdb on PC1, I don't have the problem (ie it is secure on both PC1 and PC2). - If I both create and secure the mdb on PC2, I don't have the problem (ie it is secure on both PC1 and PC2). Any guesses as to what it could be about the configuration of MS Access on these PCs (eg., registry settings, system.mdw characteristics, etc.), that could be causing this problem? I'd like to find out what is causing this, but I'm not sure what to check next. It could be that PC1 or PC2 is joined by default to a mdw that isn't a standard system.mdw (or is one that has been modified)?
Since you are using 2002/2003, you can search for *.mdw and rename every one that you find. When you open Access it'll create a new pristine system.mdw Creating on one, and securing on another shouldn't make a difference By the way, you can secure without using the wizard. -- Show quoteJoan Wild Microsoft Access MVP "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:CB3A7079-09C4-4F5F-8D1C-B2E9C69EF824@microsoft.com... > Hi Joan, > > I've tried to duplicate this problem on other pairs of PCs, including: > - my PC1, and PC3 (running Access 2003) > - my PC2, and PC3 (running Access 2003) > - PC3 and PC4 (both running Access 2003). > but I have only been able to get the problem to occur when I create the mdb > on my PC1 and secure it on my PC2, or create the mdb on my PC2 and secure it > on my PC1. Both PC1 and PC2 run the same copy of Access 2002. > > Notes: > - If I both create and secure the mdb on PC1, I don't have the problem (ie > it is secure on both PC1 and PC2). > - If I both create and secure the mdb on PC2, I don't have the problem (ie > it is secure on both PC1 and PC2). > > Any guesses as to what it could be about the configuration of MS Access on > these PCs (eg., registry settings, system.mdw characteristics, etc.), that > could be causing this problem? I'd like to find out what is causing this, but > I'm not sure what to check next. Hi Joan,
< It could be that PC1 or PC2 is joined by default to a mdw that isn't a standard system.mdw (or is one that has been modified)?> Since the Wizard creates a new mdb with a random SID for Admins, strips Admin and Users of all permissions, changes the owner from Admin to the curent user and assigns the new user a random SID, I don’t see how any modification to system.mdw would allow it to open the secured mdb. Can you? The only way I can explain what’s happenign is to assume that the Wizard in this version of Access doesn’t change the Admins SID stored in the mdb file if it is different than the Admins SID of the system.mdw of the current PC. Can you think of any other explanation? If I’m right, you would agree that this is a flaw in Access, or is there a valid reason for this behaviour? Show quote "Joan Wild" wrote: > It could be that PC1 or PC2 is joined by default to a mdw that isn't a standard system.mdw (or is one that has been modified)? > > Since you are using 2002/2003, you can search for *.mdw and rename every one that you find. When you open Access it'll create a new pristine system.mdw > > Creating on one, and securing on another shouldn't make a difference > > By the way, you can secure without using the wizard. > > -- > Joan Wild > Microsoft Access MVP The wizard asks you if you want to modify the existing mdw or create a new one. It could be modifying a mdw that, although named differently than the default, really is just a copy of the default.
On the machine where the wizard appears to not secure it properly, login as a member of the Admins group using your 'secure' mdw and check that Admin user isn't the owner of anything. Users Group doesn't have permission to anything. -- Show quoteJoan Wild Microsoft Access MVP "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:053BB5EE-6F81-4D55-8718-207EC49462E6@microsoft.com... > Hi Joan, > < It could be that PC1 or PC2 is joined by default to a mdw that isn't a > standard system.mdw (or is one that has been modified)?> > Since the Wizard creates a new mdb with a random SID for Admins, strips > Admin and Users of all permissions, changes the owner from Admin to the > curent user and assigns the new user a random SID, I don’t see how any > modification to system.mdw would allow it to open the secured mdb. Can you? > > The only way I can explain what’s happenign is to assume that the Wizard in > this version of Access doesn’t change the Admins SID stored in the mdb file > if it is different than the Admins SID of the system.mdw of the current PC. > Can you think of any other explanation? If I’m right, you would agree that > this is a flaw in Access, or is there a valid reason for this behaviour? > > > > "Joan Wild" wrote: > >> It could be that PC1 or PC2 is joined by default to a mdw that isn't a standard system.mdw (or is one that has been modified)? >> >> Since you are using 2002/2003, you can search for *.mdw and rename every one that you find. When you open Access it'll create a new pristine system.mdw >> >> Creating on one, and securing on another shouldn't make a difference >> >> By the way, you can secure without using the wizard. >> >> -- >> Joan Wild >> Microsoft Access MVP Hi Joan,
<On the machine where the wizard appears to not secure it properly, login as a member of the Admins group using your 'secure' mdw and check that Admin user isn't the owner of anything. Users Group doesn't have permission to anything.> - The Admin user doesn't own anything and the Users group has not permissions. I discovered that the system.mdw on PC1 that was causing the trouble was created by Access 97, and the testing I’ve done suggests that when Access 2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE THE ADMINS SID STORED IN THE MDB FILE. To confirm my theory, would you please do the following for me: - Create an mdb in Access 1997. - Secure it in Access 2002 using the security wizard. - Replace the Access 2002 system.mdw file with the Access 1997 system.mdw. - Try to open the secured mdb by double-clicking it. -------------------------------- Show quote "Joan Wild" wrote: > The wizard asks you if you want to modify the existing mdw or create a new one. It could be modifying a mdw that, although named differently than the default, really is just a copy of the default. > > On the machine where the wizard appears to not secure it properly, login as a member of the Admins group using your 'secure' mdw and check that > Admin user isn't the owner of anything. > Users Group doesn't have permission to anything. > > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:1E27AFC3-D3DA-4AAB-BD2C-568C6A208009@microsoft.com... Sorry but I can't reproduce this. Created a mdb in 97. Secured it using the wizard in 2002. Wasn't able to open the secured mdb via double-click. Replaced the 2002 system.mdw with the 97 system.mdw (not sure why you'd do this, but...); still wasn't able to open the secure mdb via a double-click.> > I discovered that the system.mdw on PC1 that was causing the trouble was > created by Access 97, and the testing I’ve done suggests that when Access > 2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE > THE ADMINS SID STORED IN THE MDB FILE. > > To confirm my theory, would you please do the following for me: > - Create an mdb in Access 1997. > - Secure it in Access 2002 using the security wizard. > - Replace the Access 2002 system.mdw file with the Access 1997 system.mdw. > - Try to open the secured mdb by double-clicking it. Something else is causing this. -- Joan Wild Microsoft Access MVP Hi Joan,
Thanks for trying. I'll try it on a couple of PCs at work and keep you posted if you're interested. Show quote "Joan Wild" wrote: > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:1E27AFC3-D3DA-4AAB-BD2C-568C6A208009@microsoft.com... > > > > I discovered that the system.mdw on PC1 that was causing the trouble was > > created by Access 97, and the testing I’ve done suggests that when Access > > 2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE > > THE ADMINS SID STORED IN THE MDB FILE. > > > > To confirm my theory, would you please do the following for me: > > - Create an mdb in Access 1997. > > - Secure it in Access 2002 using the security wizard. > > - Replace the Access 2002 system.mdw file with the Access 1997 system.mdw. > > - Try to open the secured mdb by double-clicking it. > > Sorry but I can't reproduce this. Created a mdb in 97. Secured it using the wizard in 2002. Wasn't able to open the secured mdb via double-click. Replaced the 2002 system.mdw with the 97 system.mdw (not sure why you'd do this, but...); still wasn't able to open the secure mdb via a double-click. > > Something else is causing this. > > -- > Joan Wild > Microsoft Access MVP > If you like, you can compact and zip up the 'secure' mdb that isn't working, and I'll have a look.
jwild at tyenet dot com -- Show quoteJoan Wild Microsoft Access MVP "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:FA52D2BB-8604-4D3A-A185-DB2E08F2443C@microsoft.com... > Hi Joan, > Thanks for trying. I'll try it on a couple of PCs at work and keep you > posted if you're interested. > > "Joan Wild" wrote: > >> "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:1E27AFC3-D3DA-4AAB-BD2C-568C6A208009@microsoft.com... >> > >> > I discovered that the system.mdw on PC1 that was causing the trouble was >> > created by Access 97, and the testing I’ve done suggests that when Access >> > 2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE >> > THE ADMINS SID STORED IN THE MDB FILE. >> > >> > To confirm my theory, would you please do the following for me: >> > - Create an mdb in Access 1997. >> > - Secure it in Access 2002 using the security wizard. >> > - Replace the Access 2002 system.mdw file with the Access 1997 system.mdw. >> > - Try to open the secured mdb by double-clicking it. >> >> Sorry but I can't reproduce this. Created a mdb in 97. Secured it using the wizard in 2002. Wasn't able to open the secured mdb via double-click. Replaced the 2002 system.mdw with the 97 system.mdw (not sure why you'd do this, but...); still wasn't able to open the secure mdb via a double-click. >> >> Something else is causing this. >> >> -- >> Joan Wild >> Microsoft Access MVP >> Hi Joan,
I sent the file to you May 10. have you received it? Also, I sent the same file and instructions to the Microsoft Global Technical Support Center. Here is their response: From: "Cherry Tao (CS&S)" Date: Fri, 11 May 2007 15:34:53 +0800 To: Peter Milewski Subject: RE: case:SRZ070503001236:Acc2002:security issue Hi Peter, Thank you for the mdw file. I followed all your steps one by one in previous mail and the secured database can be opened by double click it when the 97 system.mdw is joined to Access 2002!!! In conclusion, if the database is created under 97’s system.mdw, secured under 2002’s system.mdw, the user can still open the secured database under original 97’s system.mdw by double-clicking it. I assume this is a security vulnerability between Access 97 and Access 2002. The workaround correctly is to use the same mdw file to create and secured the database. Please understand that Microsoft strives to engineer our products to satisfy the needs of as many people as possible. Unfortunately, some problems inevitably arise. We do try to resolve these problems to the best of our ability. Having said that, we do appreciate the feedback we receive from our customers such as you. I will submit this issue as a bug to our Offbug site. The Offbug site is designed to gather information for the product team in order to make the improvements in Office product releases and its internal. Issues will be dealt with depending on product cycle needs and relevance to current product version. I also invite you to directly submit your ideas or comments to us anytime via either of the following outlets. http://support.microsoft.com/contactus/?WS=Wish http://www.microsoft.com/office/community/en-us/wizard.mspx?type=suggestion As for the fee, no fee will be applied for this incidence since it is caused by our products. In the meantime, I have performed the refund process for you and it will be and should appear as a refund on your next billing statement; depending on your billing cycle. Our primary goal at Microsoft is to make sure our customers are very delighted with the support they receive. If we don't meet the goal in this case, please let me know what we can do further to improve your satisfaction level. Thanks again for your feedback on our products. Regards, Cherry ------------------------------------------------------- Show quote "Joan Wild" wrote: > If you like, you can compact and zip up the 'secure' mdb that isn't working, and I'll have a look. > > jwild at tyenet dot com > Yes I did get it, and I responded by email. As I said, you had me follow a pretty obscure set of steps. I can't think that one would follow this in any real-world situation. I mean you create a mdb in 2002 while joined to the 97 system.mdw. Then you switch out the 97 system.mdw and replace it with the 2002 system.mdw. Then you proceed to secure it. Then you switch the system.mdw files back again. The secure mdb can be opened by the (what is now the default) 97 system.mdw file in 2002.
I guess in the strictest sense it is a bug; probably related to the fact that the system.mdw are different versions.(?) But you have to admit those are a pretty strange set of steps one would have to follow to create this situation. The system.mdw for 97 is installed in the windows system folder; while the system.mdw for 2002 is installed in a different location. When one creates a 2002 mdb, it isn't likely they'd be using the 97 mdw. And even if they were, it is further unlikely that they'd then switch to the 2002 system.mdw and then secure it. If I create a mdb in 2002 using the 2002 system.mdw and then secure it, I can't open it using the 97 system.mdw (nor the 2002 system.mdw). If I create a mdb in 2002 using the 97 system.mdw (and don't switch it back), I can't open it using either 2002 or 97 system.mdw. Under what circumstances would you see someone switching the system.mdw so much? For those interested in seeing it: Using 2002, join the '97 version of system.mdw Close and reopen 2002 and create a new mdb Test.mdb - close the database Rejoin the 2002 version of system.mdw Close Access and reopen Test.mdb (now you're joined to 2002 version of system.mdw) Run the security wizard - just hit Next 7 times and then Finish Rejoin the 97 version of system.mdw as the default. Close Access; You'll now find that you can open the secure Test.mdb with the default set to 97 system.mdw -- Joan Wild Microsoft Access MVP Just a minor comment or two:
The SecFAQ DOES say that mdw's should not be converted (even though there is such an option in Access). Most times, it hardly matters and mdw conversions or mixings usually work fine, but NOT ALWAYS. The only one I know of for sure is this: IF you convert a 97 mdw to later mdw it apparently works fine. BUT, IF the 97 mdw was previously converted from an A2.0 mda, it will fall over quick-smart on converting to a later version. THEREFORE, a "97 mdw" is not enough info, because apparently it has differences depending on how it was generated! I don't think that particular bug was known when they wrote the SecFAQ, therefore, the authors must have had suspicions about converting or mixing mdw's independently! ----- Of course, MS response is just so much PR BS, like so: "We do try to resolve these problems to the best of our ability." B.S. The above bug has been known for a long time. Not to mention, that the SecFAQ (some of the most experienced people we have) recommend against converting mdw's whereas MS still provides it as a standard option! SecFAQ has contained that recommendation for some 10yrs or so! "I will submit this issue as a bug to our Offbug site." Why bother? A97 is many versions obsolete from MS point of view, but a long way from that status in user's point of view. "Issues will be dealt with depending on product cycle needs and relevance to current product version. " Exactly. ULS is obsolete! It is also clear that, and perhaps understandably, MS tends not to bring out "hot fixes" but has a standard program of 2 or 3 "standard" SP's in the life-cycle. Therefore, fixes can't be expected soon even for the most horrid of bugs! If they acknowledge it as a bug, your realistic option remains to find a workaround to avoid it (just as if it was your own bug!!!). I believe I have been well-warned, by the SecFAQ, that mixing versions of mdw's is fraught with potential you-know-whats. I do exactly that of course, mix versions, until I strike some barrier. In this case, recreate a brand-new mdw, as I had to do in shifting from A97 to A2000. If MS wanted to "come clean", they should acknowledge the SecFAQ advice and, therefore, take "convert mdw" out of the Access menu! (simpler than fixing it heh-heh) Chris Chris, none of this requires converting a mdw; nor does it involve 2000. '97 mdw' means the system.mdw that gets installed with Access 97 (you can get a pristine copy from the installation disks if you want to be sure it's pure). '2002 mdw' means the system.mdw that gets installed with Access 2002 (you can rename all the *.mdw files on your machine, and start 2002 - it'll create a pristine one for you).
It is a bug, but I don't see it getting fixed: a. pretty obscure circumstances in which it would arise - therefore very few customers affected b. ULS has been deprecated in ACCDB format in 2007 c. official support for '97 is long over -- Show quoteJoan Wild Microsoft Access MVP "Chris Mills" <phad_nospam@cleardotnet.nz> wrote in message news:u9VKHPclHHA.4840@TK2MSFTNGP04.phx.gbl... > Just a minor comment or two: > > The SecFAQ DOES say that mdw's should not be converted (even though there is > such an option in Access). > > Most times, it hardly matters and mdw conversions or mixings usually work > fine, but NOT ALWAYS. > > The only one I know of for sure is this: > IF you convert a 97 mdw to later mdw it apparently works fine. > BUT, IF the 97 mdw was previously converted from an A2.0 mda, it will fall > over quick-smart on converting to a later version. > THEREFORE, a "97 mdw" is not enough info, because apparently it has > differences depending on how it was generated! > > I don't think that particular bug was known when they wrote the SecFAQ, > therefore, the authors must have had suspicions about converting or mixing > mdw's independently! > ----- > Of course, MS response is just so much PR BS, like so: > "We do try to resolve these problems to the best of our ability." > B.S. The above bug has been known for a long time. Not to mention, that the > SecFAQ (some of the most experienced people we have) recommend against > converting mdw's whereas MS still provides it as a standard option! SecFAQ has > contained that recommendation for some 10yrs or so! > > "I will submit this issue as a bug to our Offbug site." > Why bother? A97 is many versions obsolete from MS point of view, but a long > way from that status in user's point of view. > > "Issues will be dealt with depending on product cycle needs and relevance to > current product version. " > Exactly. ULS is obsolete! > > It is also clear that, and perhaps understandably, MS tends not to bring out > "hot fixes" but has a standard program of 2 or 3 "standard" SP's in the > life-cycle. Therefore, fixes can't be expected soon even for the most horrid > of bugs! > > If they acknowledge it as a bug, your realistic option remains to find a > workaround to avoid it (just as if it was your own bug!!!). I believe I have > been well-warned, by the SecFAQ, that mixing versions of mdw's is fraught with > potential you-know-whats. I do exactly that of course, mix versions, until I > strike some barrier. > > In this case, recreate a brand-new mdw, as I had to do in shifting from A97 to > A2000. > > If MS wanted to "come clean", they should acknowledge the SecFAQ advice and, > therefore, take "convert mdw" out of the Access menu! (simpler than fixing it > heh-heh) > > Chris > > Point taken.
Nevertheless, I have always taken 6. of the SecFAQ (I think) as advising against mixing ("second best"). The fact that I mentioned a bug unrelated to this one, and here is another one related to mixing, gives me confidence in my lack of confidence in mixing! In the end, of course, we agree that MS is unlikely to fix it, so the OP still has to find a workaround. (Doesn't sound too difficult) ----- OTOH, this sounds like a bad one. Potentially I could do everything "right", and some other idiot with too much time could still mix&match and overcome my security? (ignoring that there may be easier ways to break in of course) That is, it's not clear to me if this is just a development thing to avoid, or if it could be retrospectively done? I also think it's weird (but that's no reason against!), that some info in the mdb seems to be different depending on the version of mdw used at various steps! I'm fascinated that's all, and maybe it has no practical impact. Cheers Chris "Joan Wild" <jwild@nospamtyenet.com> wrote in message Chris, none of this requires converting a mdw; nor does it involve 2000. '97news:e66he3ilHHA.4188@TK2MSFTNGP02.phx.gbl... mdw' means the system.mdw that gets installed with Access 97 (you can get a pristine copy from the installation disks if you want to be sure it's pure). '2002 mdw' means the system.mdw that gets installed with Access 2002 (you can rename all the *.mdw files on your machine, and start 2002 - it'll create a pristine one for you). It is a bug, but I don't see it getting fixed: a. pretty obscure circumstances in which it would arise - therefore very few customers affected b. ULS has been deprecated in ACCDB format in 2007 c. official support for '97 is long over -- Joan Wild Microsoft Access MVP Hi Joan,
Thanks for trying this. I really appreciate you taking the time. Unfortunately for me, this was a very real-world scenario: I had created my database in Access 97 on one PC (PC1), continued my development and secured the database in Access 2002 on another PC (PC2), and then found that I could open the ‘secured’ database on PC1 (which was running Access 2002 at the time) just by double-clicking the file. (For some reason Access 2002 on PC1 was still using the Access 97 System.mdw in C/Windows/System32.) This shattered my confidence in ULS, and I wanted to find out how extensive this bug was. I believe now that the bug is that when Access 2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE THE ADMINS SID STORED IN THE MDB FILE. As a result, before I run the Security Wizard from now on (in any version of Access), I’ll copy all of the databases objects into a blank database created in the version of Access that I’m running the Security Wizard in, and secure the new database instead. Show quote "Joan Wild" wrote: > Yes I did get it, and I responded by email. As I said, you had me follow a pretty obscure set of steps. I can't think that one would follow this in any real-world situation. I mean you create a mdb in 2002 while joined to the 97 system.mdw. Then you switch out the 97 system.mdw and replace it with the 2002 system.mdw. Then you proceed to secure it. Then you switch the system.mdw files back again. The secure mdb can be opened by the (what is now the default) 97 system.mdw file in 2002. > > I guess in the strictest sense it is a bug; probably related to the fact that the system.mdw are different versions.(?) But you have to admit those are a pretty strange set of steps one would have to follow to create this situation. > > The system.mdw for 97 is installed in the windows system folder; while the system.mdw for 2002 is installed in a different location. When one creates a 2002 mdb, it isn't likely they'd be using the 97 mdw. And even if they were, it is further unlikely that they'd then switch to the 2002 system.mdw and then secure it. > > If I create a mdb in 2002 using the 2002 system.mdw and then secure it, I can't open it using the 97 system.mdw (nor the 2002 system.mdw). If I create a mdb in 2002 using the 97 system.mdw (and don't switch it back), I can't open it using either 2002 or 97 system.mdw. > > Under what circumstances would you see someone switching the system.mdw so much? > > For those interested in seeing it: > Using 2002, join the '97 version of system.mdw > Close and reopen 2002 and create a new mdb Test.mdb - close the database > Rejoin the 2002 version of system.mdw > Close Access and reopen Test.mdb (now you're joined to 2002 version of system.mdw) > Run the security wizard - just hit Next 7 times and then Finish > Rejoin the 97 version of system.mdw as the default. > Close Access; You'll now find that you can open the secure Test.mdb with the default set to 97 system.mdw > > > > -- > Joan Wild > Microsoft Access MVP > Milewskp wrote:
> Hi Rick, Without reviewing them, can you explain why you did not follow steps 1 > I can open the database on the PC that it was created on just by > double clicking the file icon. When I try this on the PC that the > database was secured on, Access will not let me open the file. (To > secure the database I followed steps 16-32 on Joan Wild's Step by > Step instructions at http://www.jmwild.com/security02.htm.) through 15? Access security has no "frill steps". If you leave something out it does not work. > Can you explain what it is about the permissions set by the Wizard There are no "bugs" that I know of (except in the wizards). ULS is just > that appears to make the database secure on one PC but not the other? > > Can you point me to a reference that lists bugs related to ULS > Security in general, and the Security Wizard in particular? HARD until you fully understand how it works. -- Rick Brandt, Microsoft Access MVP Email (as appropriate) to... RBrandt at Hunter dot com Hi Rick,
Steps 1-15 are optional, as Joan explains in the link. You mentioned that in some versions the wizard does NOT produce a properly secured file. Can you point me to a reference that lists bugs related to the ULS Security Wizard? Show quote "Rick Brandt" wrote: > Milewskp wrote: > > Hi Rick, > > I can open the database on the PC that it was created on just by > > double clicking the file icon. When I try this on the PC that the > > database was secured on, Access will not let me open the file. (To > > secure the database I followed steps 16-32 on Joan Wild's Step by > > Step instructions at http://www.jmwild.com/security02.htm.) > > Without reviewing them, can you explain why you did not follow steps 1 > through 15? Access security has no "frill steps". If you leave something > out it does not work. > > > Can you explain what it is about the permissions set by the Wizard > > that appears to make the database secure on one PC but not the other? > > > > Can you point me to a reference that lists bugs related to ULS > > Security in general, and the Security Wizard in particular? > > There are no "bugs" that I know of (except in the wizards). ULS is just > HARD until you fully understand how it works. > > -- > Rick Brandt, Microsoft Access MVP > Email (as appropriate) to... > RBrandt at Hunter dot com > > > you're full of crap
if JET SECURIT does not work then move to SQL Server the math is _REALLY_ simple Show quote "Rick Brandt" <rickbran***@hotmail.com> wrote in message news:LDSZh.6934$rO7.6841@newssvr25.news.prodigy.net... > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message > news:B3DF35F7-A0F5-40A6-AEF7-69664D167E42@microsoft.com... > > If I create an Access database on one PC, and then secure it by using the > > Security Wizard on a second PC, I find that it is secured on the second PC, > > but completely unsecured when I open it on the first. > > > > Can anyone explain this behaviour? > > That is the expected behavior when a file is secured incorrectly. In some > versions the wizard does NOT produce a properly secured file. Chances are Admin > is still the owner of the database meaning that anyone will be able to open it. > > -- > Rick Brandt, Microsoft Access MVP > Email (as appropriate) to... > RBrandt at Hunter dot com > > ULS is obsolete
move to Access Data Projects Show quote "Milewskp" <Milew***@discussions.microsoft.com> wrote in message news:B3DF35F7-A0F5-40A6-AEF7-69664D167E42@microsoft.com... > If I create an Access database on one PC, and then secure it by using the > Security Wizard on a second PC, I find that it is secured on the second PC, > but completely unsecured when I open it on the first. > > Can anyone explain this behaviour? > > Both PCs are running Windows XP and both are runnign the same copy of MS > Access 2002 > > Authored by: Milewskp > You're still here?
Show quote "Aaron Kempf" <ake***@dol.wa.gov> wrote in message news:eKCMtUOjHHA.3940@TK2MSFTNGP02.phx.gbl... > ULS is obsolete > > move to Access Data Projects > > > "Milewskp" <Milew***@discussions.microsoft.com> wrote in message > news:B3DF35F7-A0F5-40A6-AEF7-69664D167E42@microsoft.com... >> If I create an Access database on one PC, and then secure it by using the >> Security Wizard on a second PC, I find that it is secured on the second > PC, >> but completely unsecured when I open it on the first. >> >> Can anyone explain this behaviour? >> >> Both PCs are running Windows XP and both are runnign the same copy of MS >> Access 2002 >> >> Authored by: Milewskp >> > >  |
|||||||||||||||||||||||
Other interesting topics