Question about database security (1 Viewer)

theDBguy

theDBguy

I’m here to help
Staff member
Local time
Today, 10:03
Joined
Oct 29, 2018
Messages
21,473
sumdumgai said:
The whole thing is out the window if they have disabled macros or copied the database to un-trusted location, in which case the 'Autoexec' (verify user function) is not performed. Now they have access to everything.
Click to expand...
Hi. As I said earlier, since you're using a file-based security, you cannot prevent anyone from stealing the file and breaking your security. However, I would say the above quoted statement is not entirely true. If you put an Access database in a non-Trusted Location, VBA is disabled, but macros are not. So, when you say "they have disabled macros," I would like to know how exactly "they" are doing this. In any case, I told you what you could do to avoid giving away what you don't want them to steal, which was, don't include anything in the file unless the code can run. In other words, if the user improperly opens your db, it's empty. Otherwise, it's full of stuff. Also, telling us exactly what you're trying to protect would help in giving you more specific advise. For example, if you're trying to protect your VBA code from being modified or copied, then you can convert/compile your application into a ACCDE.
 
isladogs

isladogs

MVP / VIP
Local time
Today, 18:03
Joined
Jan 14, 2017
Messages
18,219
So why don’t you do exactly what I suggested in post #6 which covered all the points you have described.
 
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
From what I'm seeing, if the macro is a 'run code' macro, and if either 'macros are disabled' in the Trust Center Settings, or if 'macros are disabled' and the database is not in a trusted location, then the macro errors with '2001'.


I have VBA code locked from viewing with a password.
 
theDBguy

theDBguy

I’m here to help
Staff member
Local time
Today, 10:03
Joined
Oct 29, 2018
Messages
21,473
sumdumgai said:
From what I'm seeing, if the macro is a 'run code' macro, and if either 'macros are disabled' in the Trust Center Settings, or if 'macros are disabled' and the database is not in a trusted location, then the macro errors with '2001'.

I have VBA code locked from viewing with a password.
Click to expand...
Hi. You're correct. When VBA is disabled, then macro calls to VBA will error out. So, what I was saying was test first if you can call VBA from your macro. If not, then get out; otherwise, continue on. I already told you how to test if VBA is disabled or not from a macro.

PS. I almost missed it... You just told us how you disable macros - through the Trust Center Settings. Unfortunately, I just gave it a try and selected "Disable all macros without notification," but my Autoexec macro still fired even when the file was in a non-trusted folder. So, I think what I was saying, to put a test for VBA availability from the Autoexec macro, should work and help you overcome some of your concerns. However, if the user uses the shift bypass, then all bets are off. This is a limitation of Access, and we all have to live with it. The only way around it is to only run your application in Runtime environments.
 
Last edited:
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
Thanks isladogs. Your suggestion in Post 6 is now what I'm trying to do.
 
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
theDBguy. I need help with that. What would the macro look like? I tried to do some error handling but got hung up with a named error handler macro not being in the Autoexec group. Thanks.
 
theDBguy

theDBguy

I’m here to help
Staff member
Local time
Today, 10:03
Joined
Oct 29, 2018
Messages
21,473
sumdumgai said:
theDBguy. I need help with that. What would the macro look like? I tried to do some error handling but got hung up with a named error handler macro not being in the Autoexec group. Thanks.
Click to expand...
Hi. I gave it to you in Post #7. You can use an If/Then action to test for [CurrentProject].[IsTrusted].

One thing I will say about the option between using an Autoexec macro or a Startup Form is this: An Autoexec macro will fire - no mater what; whereas, a Startup Form will always open, but may not run any code at all, if code is disabled.
 
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
So, does 'IsTrusted' mean that 'Macros are enabled'; i.e., that a 'run code' macro will run? If 'macros are disabled' but the database is in a trusted location, does that also mean that the macro will run?


Thanks.
 
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
So I moved the verify user code to a load event for a hidden form. After a lot of testing and adjusting everything seems to work the way I want except for one kludge. For an 'Admin' person wanting to open the FE, ribbon menus and shortcuts are initially disabled. That's because the unload event for hidden form sets those properties to off. So, for an Admin person, I set those props to on and then issue a message directing the Admin person to shut down the database and restart. I know this is off subject of this post so if anybody has any ideas I can start another post.
 
theDBguy

theDBguy

I’m here to help
Staff member
Local time
Today, 10:03
Joined
Oct 29, 2018
Messages
21,473
sumdumgai said:
So, does 'IsTrusted' mean that 'Macros are enabled'; i.e., that a 'run code' macro will run? If 'macros are disabled' but the database is in a trusted location, does that also mean that the macro will run?

Thanks.
Click to expand...
You can say that, but I would say "IsTrusted" means the file is well, "trusted" either as a document or stored in a trusted folder. If so, code is enabled.
 
S

sumdumgai

Registered User.
Local time
Today, 13:03
Joined
Jul 19, 2007
Messages
453
When I first posted this topic, I had encountered what I thought was a hole in security when I used Autoexec (RunCode) to verify user-id and password. The hole occurs when the user has not enabled macros or when they move the database to an un-trusted location. In either of those cases, the Autoexec macro errors and then leaves the database in an exposed state. Moving that verify code to a form event eliminates that hole as does putting a check in Autoexec for [CurrentProject].[IsTrusted]. A user could also bypass Autoexec macro with Shift Key Bypass.
 
The_Doc_Man

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 12:03
Joined
Feb 28, 2001
Messages
27,182
Ah, but there is a way to disable that Shift Key bypass as well.

Search this forum for "Securing a database" and I'm sure you will find the articles on how to do that.
 
You must log in or register to reply here.

Similar threads

G
Best Practices for Preventing Unauthorized Access to SQL Server in Access Applications
Replies
2
Views
292
Pat Hartman
P
V
Solved Security Risk Microsoft has blocked.....
Replies
17
Views
248
The_Doc_Man
The_Doc_Man
B
Access Requery Issue
Replies
3
Views
204
The_Doc_Man
The_Doc_Man
M
Shift Key Bypass
Replies
14
Views
462
Marshall Brooks
M
G
Access Options Confirm: Record changes, document deletions, action queries
Replies
6
Views
1,092
gemma-the-husky
gemma-the-husky

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Top Bottom