A2007 Security. Diff between desktop icon and Explorer question

[Salad]

I have an A2003 mdb. If I start it in A2003 from a desktop icon or from
navigating to the mdb in Explorer and dbl-clicking on it I am prompted
for a username and password.

Using A2007, if I have a desktop icon that specifies a mdw file I get
prompted for my password. If I utilize Explorer, it zips right into the
application without a prompt for username/password. Is that normal?
That if you want ULS, use an icon. If you want to bypass ULS, enter via
Explorer?

 

[Tom van Stiphout]

On Wed, 10 Feb 2010 18:29:03 -0800, Salad <[email protected]>
wrote:

You may have been lured into a false idea that click-click you could
secure an Access database. Not so. ULS is an advanced topic. You have
to download, study, and fully understand the Access Security FAQ from
microsoft.com before proceeding.
ULS has been removed from the most recent versions of Access (hint,
hint).

-Tom.
Microsoft Access MVP

 

[Salad]

You may have been lured into a false idea that click-click you could
secure an Access database. Not so. ULS is an advanced topic. You have
to download, study, and fully understand the Access Security FAQ from
microsoft.com before proceeding.
ULS has been removed from the most recent versions of Access (hint,
hint).

Hi Tom:

Yes, I do know it was removed. It simply seemed odd that one could get
a user/pw prompt like normal if one uesd a desktop icon (of course the
icon's properties specified the workgroup) but completely bypasses it
from Explorer....which didn't occur in A2003.

So what does one use for CurrentUser? Since in A2007 that returns
Admin, does one use something like the api to get the Window login
username at http://www.mvps.org/access/api/api0008.htm?

In another application I will be looking at in the near future at the
client site they have a tabbed form on employees. In all All tabs but
one the folks have access to view and edit data but is locked out the
one from viewing/modifying if not a member of a certain group. Besides
writing/designing a form to present a password, what does one do in a
situation like that? It'd work from the icon, but not from Explorer.

 

[Tom van Stiphout]

Yes, I typically ask Windows who is logged in. I wrote a blog entry
about one solution: use Active Directory. Here is the article:
http://www.accesssecurityblog.com/post/Securing-Access-databases-using-Active-Directory.aspx

-Tom.
Microsoft Access MVP

 

[Salad]

Yes, I typically ask Windows who is logged in. I wrote a blog entry
about one solution: use Active Directory. Here is the article:
http://www.accesssecurityblog.com/post/Securing-Access-databases-using-Active-Directory.aspx

-Tom.
Microsoft Access MVP

That appears to be excellent.

You mention it can be used in both MDB and ACCDB...in my case A2003 and
A2007. Is it your recommendation to keep the ULS in A2003? The users
still get prompted to enter login name/password?

I will assume AD doesn't prompt for a name/password when entering an
application. Does one check the version and do something like
If version = "A2003" then
Me.Person = Currentuser
else
Me.Person = ADName()
endif
or does one simply ignore the ULS and version?

Does everybody have right to Active Directory and setup? Or is that set
up by a network administrator? Due to the computers being moved into a
new office I can't log on to check right now via RDC.

One last question. How does a developer run an app, for
development/testing, if one is on a standalone machine if one utilizes
your code?

 

[David W. Fenton]

ULS has been removed from the most recent versions of Access
(hint, hint).

NO, it has not.

The ACCDB format has been crippled in a way that prevents the ACE
from utilizing user-level security, but the ACE still supports Jet
ULS, and A2007 still supports it.

 

[David W. Fenton]

You mention it can be used in both MDB and ACCDB...in my case
A2003 and A2007. Is it your recommendation to keep the ULS in
A2003? The users still get prompted to enter login name/password?

Jet ULS is still supported in A2007. You don't have to do anything.
Just keep your MDB file and your workgroup and treat it exactly the
same as you have in every previous version of Access.

It's only the ACCDB format where ULS doesn't work, and there is
really nothing in ACCDB format that is needed by anybody who is not
integrating with Sharepoint.

 

[Salad]

Jet ULS is still supported in A2007. You don't have to do anything.
Just keep your MDB file and your workgroup and treat it exactly the
same as you have in every previous version of Access.

The app hasn't been converted to A2007 format. From an icon
C:\A2007\MSAccess.exe C:\Apps\Myapp /wrkgrp C:\test.mdw
works like a champ. Same with A2003.

Using Explorer, I go to C:\APPs and dbl-click the mdb. For A2003,
prompted for user/pw. In A2007 float right in without logging in. Is
that normal?

It's only the ACCDB format where ULS doesn't work, and there is
really nothing in ACCDB format that is needed by anybody who is not
integrating with Sharepoint.

Don't have that format.

 

[Tom van Stiphout]

On 11 Feb 2010 20:55:48 GMT, "David W. Fenton"

That was shorthand for "accdb does not support uls".
I do agree with your other statements.
-Tom.

 

[Tom van Stiphout]

Comments in-line.
-Tom.

That appears to be excellent.

You mention it can be used in both MDB and ACCDB...in my case A2003 and
A2007. Is it your recommendation to keep the ULS in A2003? The users
still get prompted to enter login name/password?

Tom: As my article says, this is not a one-for-one replacement for
uls, but if your only objective is to give some users diffenent access
rights to the app than others, and you are on a domain, it is a good
replacement, and I would drop uls so we can manage all access using
Active Directory.

I will assume AD doesn't prompt for a name/password when entering an
application.

Tom: Correct.

Does one check the version and do something like

If version = "A2003" then
Me.Person = Currentuser
else
Me.Person = ADName()
endif
or does one simply ignore the ULS and version?

Tom: see above.

Does everybody have right to Active Directory and setup? Or is that set
up by a network administrator? Due to the computers being moved into a
new office I can't log on to check right now via RDC.

Tom: Everyone has at least readonly access. This is required for
logging in to the domain. If it is possibly to put stricter controls
on it, I am not aware of it.

One last question. How does a developer run an app, for
development/testing, if one is on a standalone machine if one utilizes
your code?

Tom: when away from AD you would have to write some replacement code.
That's why my article mentions this as one of the requirements.
For example you could alter IsMemberOfSecurityGroups to say:
If GetComputerName() = "SaladsMachine" then
IsMemberOfSecurityGroups = True
else
'original code goes here
end if

 

[Salad]

Comments in-line.

Mil gracias.

 

[David W. Fenton]

That was shorthand for "accdb does not support uls".
I do agree with your other statements.

Please write what you mean to say, as many people read what you say
and have a heart attack thinking they can't use ULS or replication
in A2007.

 

[David W. Fenton]

The app hasn't been converted to A2007 format. From an icon
C:\A2007\MSAccess.exe C:\Apps\Myapp /wrkgrp C:\test.mdw
works like a champ. Same with A2003.

Using Explorer, I go to C:\APPs and dbl-click the mdb. For A2003,
prompted for user/pw. In A2007 float right in without logging in.
Is that normal?

Depends on the default workgroup that is defined in the system
registry. If it has a password on the admin account, you'll get a
prompt. If it doesn't, you won't.

This is the most basic aspect of ULS and if you don't know it, um,
you really shouldn't be using it.

It seems obvious to me that A2007 is using its own workgroup file
and its not got a password on the admin account.

 

[David W. Fenton]

Tom: Everyone has at least readonly access. This is required for
logging in to the domain. If it is possibly to put stricter
controls on it, I am not aware of it.

To deny read-only, you'd deny access to the file itself with NTFS,
no?

 

[Salad]

Depends on the default workgroup that is defined in the system
registry. If it has a password on the admin account, you'll get a
prompt. If it doesn't, you won't.

This is the most basic aspect of ULS and if you don't know it, um,
you really shouldn't be using it.

Why is there even a newsgroup on Ms-Access security? Maybe the Shadow
knows, or David Fenton.

Why open your yap if you as an expert has nothing to say or contribute?
If you can't explain a concept, you certainly are no expert.

It seems obvious to me that A2007 is using its own workgroup file
and its not got a password on the admin account.

Do you even have A2007?

 

[David W. Fenton]

Why is there even a newsgroup on Ms-Access security? Maybe the
Shadow knows, or David Fenton.

Why open your yap if you as an expert has nothing to say or
contribute?
If you can't explain a concept, you certainly are no expert.

I have not claimed to be an expert.

I've secured enough databases to know that it's really quite easy to
get it wrong, and I've not kept up with the default locations for
workgroup files in recent versions of Access, but I do know that
they multiply in the default configurations (as has been the case
since A2000) and can be scattered across your computer in the
SYSTEM32 folder, in the Office application folder and in AppData in
your user profile.

Do you even have A2007?

Yes, I do. But I don't use it, nor have I worked with ULS to secure
a database for several years.

The A2007 help file implies that A2007 doesn't create its own
workgroup file, but inherits one from A2003 if you have it
installed. But this is actually FALSE. I have one workgroup file for
A2003 and a different one for A2007. In A2003:

?dbengine.SystemDB
C:\Documents and Settings\david.fenton\Application
Data\Microsoft\Access\System.mdw

....and in A2007:

?dbengine.SystemDB
C:\Documents and Settings\david.fenton\Application
Data\Microsoft\Access\System1.mdw

The dates on the files don't make any sense, as the creation date on
the latter file predates my installation of A2007, so it's not clear
to me when that file was put on my system. I had the A2007 runtime
installed before I installed full A2007, but it looks like the
workgroup file is part of the original A2007 distribution.

So, basicaly, I think that my original assessment was likely correct
-- your default workgroup in A2007 is not the same as the default
workgroup you're using in A2003.

At least, that seems to me to be the most likely explanation.
Perhaps something else is going on, but if so, it's impossible to
say from the information you've provided.

 

[Tom van Stiphout]

On 12 Feb 2010 17:16:37 GMT, "David W. Fenton"

My answer referred to whether or not access to AD (using LDAP) could
be restricted, not to some file.

-Tom.
Microsoft Access MVP

 

[David W. Fenton]

My answer referred to whether or not access to AD (using LDAP)
could be restricted, not to some file.

Uh, I don't understand what you mean. Doesn't ever computer in a
domain have to have access to AD to work? Or are you saying that AD
refuses LDAP queries from certain users?

Tell us more, please!