workgroup file

[Secret Squirrel]

I have my workgroup file in a different folder on my server but do I need to
only have read/write access for my users to the mdw file? Can I set up
windows security to that folder without "List Folder Contents" set to allow
so they cannot get into that folder directly? Will this prevent users from
getting into that folder and possibly deleting my mdw file. Is this a
safe/secure way?

 

[Tom Wickerath]

Hi Secret Squirrel,

You can restrict the file permissions for your users on the actual .mdw file
itself, giving them read only and not allowing delete privileges, however,
you must maintain full RWCD privileges for the shared folder. The reason is
that a .mdw file is just another JET database, which has a locking database
file (*.ldb) associated with it. Your users would need to be able to create
the .ldb file (the first user into the applications, and other users would
need to be able to share this file.

There's really no way to prevent a skilled person from determining the
shared folder path. It is easy enough to discover, even if it is a hidden
folder.


Tom Wickerath
Microsoft Access MVP
http://www.accessmvp.com/TWickerath/
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Secret Squirrel]

Hi Tom,

I was going to give the users RWCD privileges to the folder but just
restrict their access to list the contents of the folder. This way they can't
open the folder if they were browing the network. I tested it yesterday and
denied access to the list the contents and they were still able to create the
..ldb file, etc. Won't this prevent them from getting to the physical file but
still give them full access to the mdw file?

SS

 

[Tom Wickerath]

Hi SS,

Won't this prevent them from getting to the physical file...

No, I don't think so. For one thing, you will likely need to include the
path to the .mdw file in a shortcut, unless you permanently join to it.
Either way, the path would be exposed.

You can restrict them from deleting the .mdw file, but I don't think there
is a any viable way of preventing them from copying this file. If they can
copy it, they can take it home and crack it at their leisure. And, yes, there
are tools available for free that will reveal all usernames and passwords in
..mdw files.


Tom Wickerath
Microsoft Access MVP
http://www.accessmvp.com/TWickerath/
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Secret Squirrel]

Hi Tom,

I am using the path to the .mdw in the shortcut so I won't be permanently
joined to the file. It seemed to work when we removed access to the folder
directly but still allowed users to read/write to the .mdw file in that
folder. This way if they browse the network and click on the folder where the
..mdw file is it won't let them open the folder. But they will still be able
to open the database using that .mdw file even though they can't get to it. I
don't think (I could be wrong) there is any way that they can get to the file
now. Correct?

SS

 

[Tom Wickerath]

Hi Secret,

I certainly wouldn't want to bet my paycheck on your assumption. Try the
following experiment:

1.) Open a Command Window ---> Start | Run, and enter: cmd
You should see a black DOS-like screen. Issue the command:

cd..

two times, to return to the root folder (C:\>). Then issue the cls
command, to start with a clean slate.

2.) Create a Temp folder (C:\Temp), if you do not already have one:
C:\> md Temp

(You can also create this temp folder using Windows Explorer, instead of
doing it in the command prompt).

3.) Enter the copy command, with the corresponding file path, for the folder
that you expose in the target of your shortcut. The syntax is this, however,
for clarity, I have added some extra spaces in-between the parameters:

Copy FullPathToSourceFile FullPathToDestinationFile

For example:

C:\> Copy \\server\share\folder\MyFile.mdw C:\Temp\*.*

You may (?) need to use the corresponding short file names for any portions
of the full path that include spaces or exceed (8) characters. I'm not really
sure if you need to do this or not. If you do have a long path that includes
spaces, then try first enclosing it in doublequotes, like this:

C:\> Copy "\\server\share\My folder\My File.mdw" C:\Temp\*.*



Tom Wickerath
Microsoft Access MVP
http://www.accessmvp.com/TWickerath/
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________

 

[Secret Squirrel]

Hi Tom,

Sorry for the delay. I've been out on vacation this week so I haven't had a
chance to test your solution. I'll be in the office tomorrow so hopefully
I'll have some time to test it out. Hope you had a nice Thanksgiving.

SS

 

[Secret Squirrel]

Hi Tom,

Sorry for the delay. Just got a chance to test out this theory. I removed
the "List Folder Contents" from the permissions via windows and then tested
logging into the DB. It won't allow you to create the ldb file. When I had
tested it previously people were already in the DB so the file was already
created. But when starting from scratch it will not allow you to create that
file so my test failed. I guess they need "List Folder Contents" permissions
to the folder where the mdw file is.

My only other thought to keep this file secure from users would be to put it
in a file on the server where nobody knows it is. I guess I still run the
risk of having someone find it if they're clever enough to browse the
network. I wish there was an easy way to protect this file from people
getting to it.

Thanks for your help Tom!
Always appreciated!

SS

 

[Tom Wickerath]

Hi Secret Squirrel,

If you have PIA (Personally Identifiable Information) in your database, such
as employee home addresses, salary, social security numbers, etc., then you
would really be doing an injustice to your employees, and exposing yourself
to future liability, if you choose to use Access to store this type of data.
If security is really important in your case, then you need to look into
using SQL Server, Oracle, etc. as the back-end data store.


Tom Wickerath
Microsoft Access MVP
http://www.accessmvp.com/TWickerath/
http://www.access.qbuilt.com/html/expert_contributors.html
__________________________________________