tags:

views:

568

answers:

7
Q: 

How to improve protection on a MS Access MDB besides password protection?

Hi guys, i have a mdb access which is password protected but that can be easily cracked by a free tool found in google within like 1second. Besides paying for some expensive tools, is there a good way in how to protect a ms access databse file? I'm thinking of encrypting it then via a dll to decrypt it, get some data, and pass it to a third party app, then when the connection is close, encrypt the file again.

If anybody care to comment on the fallacy of this method, or has some other resources, tools, etc, that would be great.

thanks :)

A: 

Saving the data in an encrypted format would be a solution. If the password "fails" the cracker has to decrypt the data as well

Chathuranga Chandrasekara  2009-05-07 07:53:51
@Chathuranga, any advises on the algol to use? I was planning to use the method as outlined in this article http://support.microsoft.com/kb/307010
melaos  2009-05-07 07:57:18
Hi, I think this may not be suitable. It might introduce latencies when the file grows. When some information is needed you have to decrypt the file before fetching the data; so definitely there will be a performance bottleneck. Don't you think so?
Chathuranga Chandrasekara  2009-05-07 08:44:36
+2  A: 

Access is an old database, why not SQL Express 2005 (witch is for free)? you will get plenty more about security and inside your application you use a user/pwd in the connection that no one will know and can't see it... if they try to open SQL, they will only see the Database Name, and nothing else (remember to use SQL authentication and not windows authentication)

if you are using .NET, in your Setup you can tell to only install your application after SQL 2005 Express is installed, or if using other language, use InstallShield, FinalBuilder, etc. to do the same...

:)

you idea "struggles" me when I thing that... Access has start to have poor response time with more than 30k rows in one table (quote from Microsoft), and if you going to create a Layer to encrypt / decrypt data ... your app will just go from slow to not working at all ... will this be a good idea?

balexandre  2009-05-07 07:57:13
@balexandre it's because it's a desktop app, and we're trying to minimize the amount of stuff needs to be installed on the customer's pc.
melaos  2009-05-07 07:58:19
I don't think that SQL 2005 Express will go in the "minimize" part, cause it's all about security. And you can always implement a Log feature in the SQL and a back door so from your company you can get the Logs from the client and help him debugging the app if something goes wrong... your app will defiantly have a big boost if talking to SQL Express rather than Access.
balexandre  2009-05-07 08:02:46
my days with Access end when SQL Express 2005 came to public... I did some stuff in MSDE back in Classic ASP, but now, for WinForms, WPF, WCF, or whatever I use SQL Express 2005 with all projects from my company, client does not care, really! and you are not shipping the file in your setup, just the link that will automatically download and installed for you, no harm!
balexandre  2009-05-07 08:04:52
Microsoft Access costs more for many environments. All versions of Windows come with SQL functionality by default.
Mark  2009-05-07 08:07:00
Also, you'll be in a better position to separate the database if you ever need to scale up.
Mark  2009-05-07 08:11:12
@balexandre good point , then do you have any resources or where i should go from here, as i find it rather painful to do too much and risk making it way overcomplicated.
melaos  2009-05-07 08:16:11
ohhh, not just that Mark... there are soooo many benefits of using SQL against Access ... :) speed, security, expansability, extensability, Store Procedures, triggers, etc etc etc :D
balexandre  2009-05-07 08:19:55
@malos "...do you have any resources..." resource about what, how to tell the Setup that you need SQL Express Edition on the client machine? Deploy the mdf file? what do you actually need? shouldn't that be a new question? ;)
balexandre  2009-05-07 08:21:41
melaos  2009-05-07 08:25:30
balexandre  2009-05-07 08:28:11
@balexandre: What's the Microsoft source for your statement about performance problems over 30K rows? It certainly doesn't reflect my experience as I've had more than one multi-user Access app with a Jet back end and 100s of thousands of records in related tables.
David-W-Fenton  2009-05-07 23:00:34
@Mark says: "All versions of Windows come with SQL functionality by default." All versions of Windows since 2000 come with the Jet database engine, but I don't know what you mean by "SQL functionality." They certainly don't come with SQL Server installed.
David-W-Fenton  2009-05-07 23:01:32
@David, it's a know problem and if you google it you will find plenty info on the Access problems... if you do have that, give it a try... create a SQL Express Database, import your access data into it, and check the times with the same call, execute one simple query and the biggest query you have and see the differences!
balexandre  2009-05-08 18:24:58
A: 

Whatever method you use will be crackable by someone knowledgeable.

It really depends how valuable the data is: if it's truly valuable, I'd use a different model, like putting the database behind a server on the internet. Then you can limit the number of queries, as well as filter for misuse.

If a leak can be traced, or is of limited use, you're better off guarding the data with the licensing agreement. At least then you may have a way of recovering your losses. Note that the OED has recently removed its copy protection.

Also consider the future: some network admin in 10 years may need to legitimately get access to the data, and using a simple password will show the data should be protected, but still allow circumvention.

Mark  2009-05-07 08:01:45
+1  A: 

What about updating from MDB format to ACCDB (Access2007) format?

Get started with Access 2007 security

"The encryption tool in Office Access 2007 combines and improves on two older tools — database passwords and encoding. When you use a database password to encrypt a database, you make all data unreadable by other tools, and you force users to enter a password to use the database. The encryption applied in Access 2007 uses a stronger algorithm than was used in earlier versions of Access..."

onedaywhen  2009-05-07 08:32:48
A: 

For a desktop app I would suggest you go the route of Sql Server Compact Edtition (SQLCE). Or if you have a bit of money, VistaDB (unlike SQLCE it supports stored procedures, views and triggers). You'll get better security, better performance, less hassles with maintenance and corruption and easier deployment.

Conrad  2009-05-07 08:39:17
+1  A: 

I'm unclear from reading your post if you are only trying to protect data, or if you are you trying to protect something else such as say VBA code exclusively. You say that you have an mdb file but are you working with Access 2003, 2007 or some other version? Have you/are you planning to deploy your Access solution on an Intranet site? (For my comments below I am going to assume that you are).

I agree with other posters that if you have the chance to consider other solutions before deploying an Access-based solution you should. However, if you can't avoid an Access-base solution I would like to share the following suggestions and/or comments.

  1. If you are working with Access 2003 then you may want to consider User and Group Level security (User/Group Level security setup & configuration not available in Access 2007 (accdb) format databases, however Access 2007 will recognize User/Group permissions from mdb files. With User/Group level security you can limit access to your database based on defined users and workgroups. For more information - [http://office.microsoft.com/en-us/access/HP051882261033.aspx][1]

  2. Consider splitting your database (keep your data separate from your application objects such as Forms, Reports) and/or creating different versions that limit the objects that are available.

  3. Keep a master for design and a replica for production. This is in keeping with the previous comment where the idea is that not everything is on the table for the taking. You may want to look into Access Developer Extensions (if you haven't already) which is available for 2003 and 2007 (free to download and install from Microsoft).

  4. Employ, whenever possible, policies that discourage and/or limit staff or coworker access (again I'm assuming you're deploying on a company Intranet)

  5. Encode your database. This will make property information for your tables, VBA code harder to retrieve as the database will be compacted and any design-level information will be removed or harder to access.

  6. Lastly, if you have the time, resources and/or a nearby library/bookstore with a copy available I recommend that you check out Alison Balter's mastering Microsoft Office Access 2003, Check out the section on Developing Mult-User and Enterprise Applications which has a section on security. Updated for ACCESS 2007: Alison Balter's Mastering Microsoft® Office Access 2007 Development

 2009-05-07 09:34:19
@Jason, trying to protect the data inside the mdb.
melaos  2009-05-07 10:26:20
When you suggest "Keep a master for design and a replica for production." are you seriously suggesting using Jet replication? I consider that truly bad advice for anything other than a case where you actually need to edit data in two temporarily disconnected locations. See http://dfenton.com/DFA/Replication/ for lots of discussion fo what Jet Replication is good for.
David-W-Fenton  2009-05-07 23:04:50
+1  A: 

I'm all for using Jet wherever it's appropriate, but when you start worrying about password protecting data beyond what you would get with NTFS security and Jet ULS, you're in territory where you need to use a different data store.

But let me say this:

Security is not a technological problem -- it's a people problem. No security will protect you from the user with admin permissions who wishes you ill. You always have to trust people enough to give them permissions to view and edit your data. Too often, the emphasis is on how to keep the unauthorized users out of your data instead of on designing your app to protect your data from damage that can be done by the authorized users. The former is pretty easy, while the latter requires really careful attention not just to your security settings but to the way in which you design your app.

And in the end, you have to trust people to behave responsibly, and there's nothing Jet or SQL Server can do to help you with that.

David-W-Fenton  2009-05-07 23:08:41

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security