Question Building Security system for Access Database (1 Viewer)

alvingenius · Aug 8, 2019

Hello

I'm building Archiving app with Access
and in work we using it as FE/BE - BE in Local PC in local network
and we are happy with that

i want to add security system to the FE or BE to not allow it working outside users PCs

and disable shift open and hiding tables and pasword protect VBA is not an option here

i'm talking about something like activation system for every user i will put this app on his pc !
like saving his PC specs and validate it everytime he open the app
or to generate a unique activation code for every user using the app for the first time on his pc

That's my work and i wanna protect it !

theDBguy · Aug 8, 2019

Hi. If you simply want to limit the use of the app within your organization, then you should be able to use the user's network account login information to verify if the app should open or not. Just a thought...

alvingenius · Aug 8, 2019

theDBguy said:
Hi. If you simply want to limit the use of the app within your organization, then you should be able to use the user's network account login information to verify if the app should open or not. Just a thought...

i need a more complex one like Activation system
i think your idea is easy to bypass

theDBguy · Aug 8, 2019

alvingenius said:
i need a more complex one like Activation system
i think your idea is easy to bypass

Hmm, how will you be able to bypass something that checks your network login information? Even SQL Server database uses Windows Authentication for security.

alvingenius · Aug 8, 2019

theDBguy said:
Hmm, how will you be able to bypass something that checks your network login information? Even SQL Server database uses Windows Authentication for security.

how to code it ur idea ?

theDBguy · Aug 8, 2019

alvingenius said:
how to code it ur idea ?

The simplest way to do it is to create a table of users and store the network login information (username) for each authorized user. At startup, you retrieve the current user's network login information and compare it against the table. So, if an authorized user opens the app on a computer connected to your company's network, they get in. Otherwise, if the user opens the app from their home computer, then they don't get in.

You could try using this approach to get the current user's network login information. Hope it helps...

alvingenius · Aug 8, 2019

theDBguy said:
The simplest way to do it is to create a table of users and store the network login information (username) for each authorized user. At startup, you retrieve the current user's network login information and compare it against the table. So, if an authorized user opens the app on a computer connected to your company's network, they get in. Otherwise, if the user opens the app from their home computer, then they don't get in.

You could try using this approach to get the current user's network login information. Hope it helps...

any user with good knowledge in Access can't open tables and edit it ?

theDBguy · Aug 8, 2019

alvingenius said:
any user with good knowledge in Access can't open tables and edit it ?

Now, that would be a tall order. No Access database can ever be totally secure because it is based on a file system. In other words, there is nothing preventing anyone, after they managed to get a copy of your app file, to have plenty of time and resources to break into it at their leisure.

So, if you're really concerned about security, you might have to upgrade from using Access into something more secure like SQL Server.

If you want to continue using Access but just want to make it a little harder for any normal user to break into it, then take a look at this article. But still, you'll have to accept the fact that using Access will not be able to give you 100% security.

isladogs · Aug 8, 2019

I see that the DBGuy has given a link to my article on securing Access databases. If you follow all the steps carefully, you will make your database just about as secure as its possible to do … but with the caveat that no Access database can ever be 100% secure against a skilled hacker with sufficient time and determination.
In addition I do have an activation process which I use in some of my commercial apps. However, for fairly obvious reasons I'm not going to give away the code I use for that. In your own words

That's my work and I wanna protect it!

GinaWhipp · Aug 8, 2019

You know maybe the better question is WHAT are you trying to protect? Your code or the Company's data? If the answer is both then you will need to move to an SQL Server with the caveat that the determined *thief* is still getting in but it will be a LOT harder.

If you are just looking to protecting your code doing all the usual steps and adding turning it into an ACCDE will accomplish that.

arnelgp · Aug 8, 2019

why not use the pc's harddisk serial as protection.
the harddisk serial is then saved as property of the database.

Code:

'arnelgp
Public Function GetSetHardDiskSerial()
    Dim prop As DAO.Property
    Dim dbs As DAO.Database
    On Error GoTo err_handler
    Dim strHarddisk As String
    Set dbs = CurrentDb
    'Set the property's value
    'If it doesn't exist, an error 3270 "Property not found" will occur
    strHarddisk = dbs.Containers("Databases")("UserDefined").Properties("HardDisk").Value
    If Err.Number = 0 Then
        If strHarddisk <> GetPhysicalSerial()(1) & "" Then
            MsgBox "You may have been a victim of counterfeit!" & vbCrLf & vbCrLf & _
            "This database is already used in another computer.", vbOKOnly + vbExclamation
            Application.Quit
        End If
    End If
    Set prop = Nothing
    Set dbs = Nothing
    Exit Function
    
err_handler:
    If Err = 3270 Then
        'If the property doesn't exist, create it
        Set prop = dbs.CreateProperty("HardDisk", dbText, GetPhysicalSerial()(1) & "")
        'Append it to the collection
        dbs.Containers("Databases")("UserDefined").Properties.Append prop
    End If
    Resume
End Function

'arnelgp
Function GetPhysicalSerial() As Variant

    Dim obj As Object
    Dim WMI As Object
    Dim SNList() As String, i As Long, count As Long
    
    Set WMI = GetObject("WinMgmts:")
    
    For Each obj In WMI.InstancesOf("Win32_PhysicalMedia")
        If obj.SerialNumber <> "" Then count = count + 1
    Next
    
    'ReDim SNList(1 To Count, 1 To 1)
    ReDim SNList(1 To count)
    
    i = 1
    For Each obj In WMI.InstancesOf("Win32_PhysicalMedia")
        'SNList(i, 1) = obj.SerialNumber
        SNList(i) = Trim(obj.SerialNumber & "")
        Debug.Print Trim(obj.SerialNumber & "")
        i = i + 1
        If i > count Then Exit For
    Next
    
    GetPhysicalSerial = SNList
End Function

create a macor (autoexec) that RunCode the function GetSetHardDiskSerial().
save your db as accde.

test. copy the code to a New Module on a New DB.
create the autoexec macro.
save as accde.

copy the db to another pc, taran!

isladogs · Aug 8, 2019

Hi Arnel
You've given away one part of my activation process

However there's several more checks involved as well....

Pat Hartman · Aug 9, 2019

If you built this app for payment, either as an employee or a consultant, I think you will find that according to the law, the app isn't yours at all. It belongs to the people who paid for it. Unless you have a contract signed by them that gives you ownership.

The_Doc_Man · Aug 9, 2019

Pat brings up a good point, and she is someone who WOULD be experienced in this kind of thing. IF you are in the USA, then the copyright law of 1975 (and as subsequently amended) clearly defines the concept of "Work done for hire" which covers whatever you do when someone else is paying for the end product.

If you build something for a specific customer in the USA, they own it. You don't.

If you are a salaried employee (OR a contract employee) and build something for your employer, they own it. You do not.

If you build something for multiple sales in the USA (i.e. as a commercial product), you need a very specific end user license agreement; if not, then the first time you sell it, you no longer own it exclusively.

Micron · Aug 10, 2019

the harddisk serial is then saved as property of the database.

Database properties can be manipulated from another database. I see no mention of making fe an accde so manipulating properties probably depends on the db not being an accde. I have never tried it on such a database.

Some sort of validation in code is probably part of the requirement otherwise the method can be exposed. Validating Windows login ID against a table is one of the many links you can build into a security chain which should be good enough to keep honest people and curious meddlers out - especially if they cannot overcome the shift bypass. Let's face it, for them to get in, they'd have to put their credentials in the table which isn't exactly being clandestine.

Since this is work related and you're being paid for it, I take your comments a little differently than others; mainly you don't want to be forever fixing it because of anyone meddling where they don't belong. In that case, you do what you think you need to do based on the level of sophistication of the users, among whom I have found there are those who cannot even make a shortcut on their desktop. Besides, doesn't anyone there fear repercussion for meddling in company software/applications?

sonic8 · Aug 10, 2019

arnelgp said:
why not use the pc's harddisk serial as protection.
the harddisk serial is then saved as property of the database.

When I run your code, it just retrieves the volume names of the partitions.

In GetPhysicalSerial(), (1) is just "Data" and (2) is "System" because I didn't bother to enter a name.

My disks are connected to a RAID controller and the OS has no contact whatsoever with the physical disks. - This might not be the most common configuration but it is not really exotic either.

arnelgp · Aug 10, 2019

there are other alternatives like cpuid + motherboard serials:

Code:

'arnelgp
Public Function GetSetCPU_ID()
    Dim prop As DAO.Property
    Dim dbs As DAO.Database
    On Error GoTo err_handler
    Dim strCPU_ID As String
    Set dbs = CurrentDb
    'Set the property's value
    'If it doesn't exist, an error 3270 "Property not found" will occur
    strCPU_ID = dbs.Containers("Databases")("UserDefined").Properties("CPU_ID").value
    If Err.Number = 0 Then
        If strCPU_ID <> CpuId() & SystemSerialNumber() & "" Then
            MsgBox "You may have been a victim of counterfeit!" & vbCrLf & vbCrLf & _
            "This database is already used in another computer.", vbOKOnly + vbExclamation
            Application.Quit
        End If
    End If
    Set prop = Nothing
    Set dbs = Nothing
    Exit Function
    
err_handler:
    If Err = 3270 Then
        'If the property doesn't exist, create it
        Set prop = dbs.CreateProperty("CPU_ID", dbText, CpuId() & SystemSerialNumber() & "")
        'Append it to the collection
        dbs.Containers("Databases")("UserDefined").Properties.Append prop
    End If
    Resume
End Function

'http://vb-helper.com/howto_get_cpu_serial_number_id.html
Public Function SystemSerialNumber() As String
Dim mother_boards As Variant
Dim board As Variant
Dim wmi As Variant
Dim serial_numbers As String

    ' Get the Windows Management Instrumentation object.
    Set wmi = GetObject("WinMgmts:")

    ' Get the "base boards" (mother boards).
    Set mother_boards = wmi.InstancesOf("Win32_BaseBoard")
    For Each board In mother_boards
        serial_numbers = serial_numbers & ", " & board.SerialNumber
    Next board
    If Len(serial_numbers) > 0 Then serial_numbers = Mid$(serial_numbers, 3)

    SystemSerialNumber = serial_numbers
End Function
'http://vb-helper.com/howto_get_cpu_serial_number_id.html
Public Function CpuId() As String
Dim computer As String
Dim wmi As Variant
Dim processors As Variant
Dim cpu As Variant
Dim cpu_ids As String

    computer = "."
    Set wmi = GetObject("winmgmts:" & _
        "{impersonationLevel=impersonate}!\\" & _
        computer & "\root\cimv2")
    Set processors = wmi.ExecQuery("Select * from Win32_Processor")

    For Each cpu In processors
        cpu_ids = cpu_ids & ", " & cpu.ProcessorId
    Next cpu
    If Len(cpu_ids) > 0 Then cpu_ids = Mid$(cpu_ids, 3)

    CpuId = cpu_ids
End Function

sonic8 · Aug 10, 2019

arnelgp said:
there are other alternatives like cpuid + motherboard serials:

These are much better!

Gasman · Aug 10, 2019

arnelgp,

Just FYI on my Acer Aspire 7720 Laptop

systemserialnumber in the debug window just gives me ?

Code:

? SystemSerialNumber
Base Board Serial Number

walking through the code

Code:

? board.SerialNumber
Base Board Serial Number
? Mid$(serial_numbers, 3)
Base Board Serial Number

CPUID does return a value for me though, as does GetSetHardDiskSerial, though these are are hard disks in the laptop.

arnelgp · Aug 10, 2019

is that so?
anyway, just combine whatever text you get from hd+motherboard+cpu.
then try the db on another pc to chk if the security will work.

Question Building Security system for Access Database (1 Viewer)

IT Specialist

I’m here to help

IT Specialist

I’m here to help

IT Specialist

I’m here to help

IT Specialist

I’m here to help

MVP / VIP

AWF VIP

..forever waiting... waiting for jellybean!

MVP / VIP

Super Moderator

Immoderate Moderator

AWF VIP

AWF VIP

..forever waiting... waiting for jellybean!

AWF VIP

Enthusiastic Amateur

..forever waiting... waiting for jellybean!

Similar threads

Users who are viewing this thread