<< . .

. 47
( : 51)



. . >>

2. Remove the Admin user from the Admins group.
3. Remove all permissions for the Users group.
4. Remove all design permissions for the Admin user for all objects in the database.
5. Do not supply a password for the Admin user.
Remember that if you do not specify a password for the Admin user, Access will log on all
users as the Admin user. Because the Admin user has no rights to the design of any object,
users cannot access objects or code in Design view.
Table 22-1 summarizes the permissions that you can assign.

Table 22-1
Summary of Assignable Permissions
Permission Permits a User To Applies To
Open/Run Open a database, form, or report, Databases, forms,
or run a macro. reports, and macros

Open Exclusive Open a database with exclusive access. Databases only

Read Design View objects in Design view. Tables, queries, forms,
macros, and modules

Modify Design View and change the design of objects, Tables, queries, forms,
macros, and modules or delete them.

Administer For databases, set database password, Databases, tables,
replicate a database, and change start-up queries, forms, reports,
properties. For database objects, have full macros, and modules
access to objects and data, including
the ability to assign permissions.

Read Data View data. Tables and queries

Update Data View and modify but not insert or delete data. Tables and queries

Insert Data View and insert but not modify or delete data. Tables and queries

Delete Data View and delete but not modify or insert data. Tables and queries
Part III ¦ Beyond Mastery: Initiative Within Office
544


Using the Access Security Wizard
Access includes the Security Wizard tool to assist you in securing your database. The
Security Wizard makes it easy for you to select the objects to secure. It then creates a new
database containing secured versions of the selected objects. The Security Wizard assigns
the currently logged-in user as the owner of the objects in the new database and removes all
permissions from the Users group for those objects. The original database is not modified in
any way. Only members of the Admins group and the user who ran the Security Wizard
have access to the secured objects in the new database.

When you use the Security Wizard, make sure that you are logged in as the user that you want
Tip
to become the new database™s owner. You must already belong to the Admins group and you
cannot log in as Admin. If you log in as Admin, Access will report an error when you attempt to
run the Security Wizard. If you receive this error, simply log in as another Admins group user.

To start the Security Wizard, log into the database as a user who is a member of the Admins
group. Then select Tools_Security_User-Level Security Wizard.
Follow these steps to create and open the AAASecureWizard database.

Note
These steps assume that you have created the user Student1 and assigned the user to the
Admins group.

1. Exit Access and open the folder that contains Chap34Start.mdb. Copy this file and
name the new copy AAASecureWizard.mdb.
2. Start Access and open the AAASecureWizard database. When Access attempts to
open the database, the Logon dialog box displays. The Logon dialog box displays
automatically because the AAASecureWizard database inherited its permissions
from the original database (Chap34Start).
3. Enter Student1 in the Name field and select OK. (The user Student1 has no assigned
password.) Access opens the AAASecureWizard database.
4. Select Tools_Security_User-Level Security Wizard from the menu to start
the wizard.
The wizard displays a message advising you that you will need to use the existing
workgroup information file, or it can create a new one for the current open database (see
Figure 22-21). Select Create a new workgroup information file and click the Next button.
Chapter 22 ¦ Adding Security to Access Applications 545




Figure 22-21: The Security Wizard helps jump-start your security implementation.

When you select Create a new workgroup information file, the next screen, shown in Figure
22-22, asks you for the filename for the new file, a Workgroup ID number (WID) ” which
you should write down and save, and optionally, your name and company.




Figure 22-22: Assigning a unique WID and name to new workgroup information file.
Part III ¦ Beyond Mastery: Initiative Within Office
546

When the new workgroup information file screen appears, it automatically assigns a random
20-character string of numbers and letters to the WID (Workgroup ID) field. You can change
this WID to any value.
As Figure 22-22 shows, you can choose to make this the new default workgroup file for all
databases (not recommended), or have Access create a shortcut to use this file only for this
database (default). Selecting the option to create a shortcut associates this file with only one
database. Click the Next button to display the next screen of the wizard.
The next screen of the wizard, shown in Figure 22-23, lets you select the objects to secure.
By default, the wizard secures all objects in the database. If you deselect an object type
(such as Tables or Forms), none of the objects of that type are exported to the secured
database. If you do not want to restrict security permissions for a set of objects but still want
those objects included in the new secured database, be sure to select the objects in the
wizard. Later on, modify the user and group permissions for those objects in the new
secured database. When you are satisfied with your object selections, select the Next button
to continue.




Figure 22-23: Selecting the objects to secure.

The next screen of the wizard, shown in Figure 22-24, asks you to create an optional
security group account for a series of group actions. These include:
. Backup Operators: Can open the database exclusively for backing up and compact-
ing.
. Full Data Users: Can edit data, but not alter design.
Chapter 22 ¦ Adding Security to Access Applications 547

. Full Permissions: Has full permissions for all database objects, but can™t assign
permissions.
. New Data Users: Can read and insert data only (no edits or deletions).
. Project Designers: Can edit data and objects, and alter tables or relationships.
. Read-Only Users: Can read data only.
. Update Data Users: Can read and update, but can™t insert or delete data or alter
design of objects.
Check all of the optional security groups displayed in the wizard screen. After you have
selected all groups, select the Next button to continue.




Figure 22-24: Additional optional security groups for the database.

Notice that the next page of the wizard, shown in Figure 22-25, lets you choose to grant
permissions to the Users group (the default is no permissions). By selecting Yes, you are
able to assign rights to all object types in the database. Figure 22-25 shows this page with
the Yes option selected. However, you should select the default choice: No ” the Users
group should not have any permissions. Select the Next button to continue to the next
wizard screen.
Part III ¦ Beyond Mastery: Initiative Within Office
548




Figure 22-25: Choosing whether or not to assign permissions to the Users group.


If you decide to grant any permissions to the Users group, you should be aware that anyone
Caution
with a copy of Access will have the same permissions that you assign to this group. Essentially,
you are exposing the database to a security breach if you assign rights to this group.

The next page, shown in Figure 22-26, lets you add users to the workgroup information file.
To add a user, enter the name and password information in the appropriate fields and select
the Add a New User button.




Figure 22-26: Adding users and passwords to the workgroup information file.
Chapter 22 ¦ Adding Security to Access Applications 549

As Figure 22-26 shows, you can also remove users from the list by simply selecting their
name from the list box on the left and selecting the Delete User from the List button. Select
the Next button to continue.
The next wizard screen to display, shown in Figure 22-27, enables you to assign users to
groups in your workgroup information file. If you added optional groups from the previous
page (as shown in Figure 22-24), you can assign a user to any of these groups by checking
the appropriate check box. To assign rights to a user, simply select the user from the drop-
down list and then assign that user to groups using the check boxes. By default, all users,
except the person creating the wizard, are assigned to new groups. Click the Next button to
continue on to the next screen.




Figure 22-27: Adding users to groups for group rights.

The last page of the wizard displays, as shown in Figure 22-28. In this screen, the Security
Wizard asks you to provide a name for the old, and now unsecure, database. The default
name is the same name as the current database with the extension .bak. Select the Finish
button to finish creating the new secure database.
Part III ¦ Beyond Mastery: Initiative Within Office
550




Figure 22-28: In the Final wizard screen, the Security Wizard asks you to assign a name
for the old database.

Technically, the Security Wizard doesn™t make any modifications to the current database;
rather, it makes a backup copy by using the name that you specify and creates an entirely
new database with secured objects. However, the new database is given the name of the
original database.

Caution
When you distribute your secured application, be sure to distribute the database that the
Security Wizard created for you.

When the Security Wizard has finished creating the new database, it generates a report
called One-Step Security Wizard Report, as shown in Figure 22-29. The report contains all of
the settings used to create the users and groups in the workgroup information file. You
should keep this information. You will need it if you ever have the need to re-create the
workgroup file.
Chapter 22 ¦ Adding Security to Access Applications 551




Figure 22-29: Choosing whether or not to assign permissions to the Users group.


If you click the Finish button and Access finds any problems, it won™t create the security data-
base or the backup that you requested. Generally, you will get this error if you have created the
Caution
database and logged on as a user that secured the table and then re-logged on as another user
to secure it. This wizard works best with databases that have not had any previously defined
security.

Generally, making a copy of the original database and working with the secured database is
a good idea. If you make changes to the original database, you will need to run the Security
Wizard again to create a secured version of the database. In addition, making a copy of the
original database and then removing it from development helps prevent accidentally
distributing the unsecured database.


Encrypting a Database
When security is of utmost importance, one final step that you need to take is to encrypt the
database. Although it takes a great deal of skill (far more than the average computer user ”
or developer ” possesses), it is possible to view the structure of an unencrypted database. A
skilled hacker may use this information to reconstruct SIDs and gain full access to your
secured database.
Part III ¦ Beyond Mastery: Initiative Within Office
552

Encrypting a database makes using such tools to gain any useful information about the
database virtually impossible. Only the database owner or a member of the Admins group
(or a really good computer hacker) can encrypt or decrypt a database.
To encrypt a database, follow these steps:
1. Open Access, but do not open a database. Select Tools_Security_Encrypt/Decrypt
Database (see Figure 22-30).




Figure 22-30: Encrypting a database helps secure it from highly skilled hackers.

2. Select the database to encrypt from the Encrypt/Decrypt dialog box.
3. Provide a name for the new encrypted database.
Access doesn™t modify the original database when it encrypts it. Rather, Access creates a
clone of the database and encrypts the clone. Just like when using the Security Wizard, you
should make a backup copy of the original database and store it somewhere safe to prevent
accidentally distributing the unencrypted database. Remember that in a world of rapidly
changing data, your backup will rapidly become out of date.
When encrypting a database, however, be aware of the following drawbacks:
. Encrypted databases don™t compress from their original size when used with
compression programs, such as WINZIP or the ODE Setup Wizard. Encryption
modifies the way that the data is stored on the hard drive so compression utilities
have no effect.
. Encrypted databases suffer some performance degradation (up to 15 percent).
Depending on the size of your database and the speed of your computer, this
degradation may be imperceptible.
Chapter 22 ¦ Adding Security to Access Applications 553



Encryption is performed in addition to securing a database. A secure database is one that is
Note
secured using users, groups, and permissions. Simply encrypting a database does nothing
to secure the database for general Access users.


Decrypting a Database
You can decrypt a previously encrypted database. To decrypt a database, simply follow these
steps (which are similar to the encrypting process):
1. Start Access but do not open a database. Select Tools_Security_Encrypt/Decrypt
Database.
2. Select the database to decrypt from the Encrypt/Decrypt dialog box.
3. Provide a name for the new decrypted database.


Protecting Visual Basic Code
Although setting user-level security allows you to restrict access to tables, forms, and reports
in your database, it does not prevent access to the Visual Basic code stored in modules. You
control access to the Visual Basic code in your application by creating a password for the
Visual Basic project that you want to protect. When you set a database password for a
project, users are prompted to enter the password each time they attempt to view the Visual
Basic code in the database.

A Visual Basic project refers to the set of standard and class modules (the code behind forms
Note
and reports) that are part of your Access database (.mdb) or Access project (.adp).

1. Open any standard module in the database. For this example, open the
basSalesFunctions modules in Chap34Start.mdb. When you open the
basSalesFunctions module, the Visual Basic Editor displays.
2. In the Visual Basic Editor, select Tools_Access Auto Auctions Properties. The
Access Auto Auctions ” Project Properties dialog box displays.
3. Select the Protection tab in the Project Properties dialog box. Check the option
labeled “Lock project for viewing.”
4. In the Password field, type the password that you want to use to secure the project
(see Figure 22-31). For this example, use the password bible. Access does not
display the password; rather, it shows an asterisk ( * ) for each letter.
Part III ¦ Beyond Mastery: Initiative Within Office
554




Figure 22-31: Creating a project password restricts users from viewing the application™s
Visual Basic code.

5. In the Confirm Password field, type the password again. This security measure
ensures that you don™t mistype the password (because you can™t see the characters
that you type) and mistakenly prevent everyone, including you, from accessing the
database.
6. Click OK to save the password.
After you save and close the project, any user who attempts to view the application™s
Visual Basic code must enter the password. Access prompts for the project password only
once per session.
A more secure method of securing your application™s code, forms, and reports is to distribute
your database as an .MDE file. When you save your database as an .MDE file, Access
compiles all code modules (including form modules), removes all editable source code, and
compacts the database. The new .MDE file contains no source code but continues to work
because it contains a compiled copy of all of your code. Not only is this a great way to
secure your source code, it also enables you to distribute databases that are smaller (because
they contain no source code) and always keep their modules in a compiled state.


Preventing Virus Infections
Implementing a good user-level security scheme will protect your database from
unauthorized access to the information or objects in your database. User-level security does
not, however, protect the physical database file from malicious macro virus attacks.
You probably have had experience at some point with a virus attack on your computer. Or
most likely, you know someone who has. It goes without saying that it is imperative to
install and run a virus scanning utility on your workstation. Even though you may be
religious about keeping your virus scanner up to date, new viruses crop up all the time.
Chapter 22 ¦ Adding Security to Access Applications 555

Therefore, you have to be proactive about protecting your applications and sensitive data
from exposure to these kinds of attacks.
When you run forms, reports, queries, macros, data access pages, and Visual Basic code in
your application, Microsoft Office Access 2003 uses the Microsoft Jet Expression Service to
scan the commands these objects execute to make sure that these commands are safe. Unsafe
commands could allow a malicious user to hack into your hard drive or other resource in
your environment. A malicious user could possibly delete files from your hard drive, alter
the computer™s configuration, or generally create all kinds of havoc in your workstation or
even throughout your network environment.
The Microsoft Jet Expression Service checks its list of unsafe commands. When Access
encounters one of the unsafe commands, it can block the command from execution. To tell
Access to block these potentially unsafe commands, you must enable sandbox mode.

To review the list of unsafe commands, search Access help for “About Microsoft Jet Expression
Tip
Service sandbox mode.”


Enabling sandbox mode
Sandbox mode allows Access to block any of the commands in the unsafe list it encounters
when running forms, reports, queries, macros, data access pages, and Visual Basic code. To
enable sandbox mode, follow these steps:
1. Open Access, but do not open a database. Select Tools_Macro_Security. The
Security dialog box displays, as shown in Figure 22-32.
2. In the Security dialog box, select the High or Medium option.
3. Select the OK button to close the Security dialog box.
4. Restart Access to apply the security change.




Figure 22-32: Enabling sandbox mode.
Part III ¦ Beyond Mastery: Initiative Within Office
556


Note
When you enable sandbox mode, it applies to all Access users on the workstation.

The Security dialog box provides three levels of macro security:
. High: Macros must be digitally signed. Unsigned macros will not run. The status of
the macro™s digital signature is validated for digitally signed macros.
. Medium: The status of the macro™s digital signature is validated for digitally signed
macros. For unsigned macros, a prompt displays advising the user to enable the
macro or to cancel opening the database.
. Low: Macros are not checked for digital signatures and no warning displays for
unsigned macros.
A digital signature is an encrypted secure file that accompanies a macro or document. It
confirms that the author is a trusted source for the macro or document. A digital signature is
contained in a digital certificate. You, or your organization™s IT department, can obtain a
digital certificate through a commercial certification authority, like VeriSign, Inc. Search
www.msdn.com for “Microsoft Root Certificate Program Members” to obtain information
on how to obtain a digital certificate.
If you are sure of the integrity of your database, you can select the Low security setting.
Digital signatures are generally implemented within large organizations that are willing to
fund the added expense of purchasing and keeping digital signatures up to date. For most
applications, however, you will probably use the Low setting.
If you or your organization has acquired a digital certificate, you can use it to digitally sign
your Access project. To digitally sign your Access project, follow these steps:
1. Open the Access database to digitally sign. Select Tools_Macro_Visual Basic
Editor from the Access menu. The Visual Basic Editor opens.
2. Select Tools_Digital Signature from the Visual Basic Editor menu. The Digital
Signature dialog box displays, as shown in Figure 22-33.


<< . .

. 47
( : 51)



. . >>