How to keep someone from importing data out of my database

I have a split database with an MDE front end and forms linked to tables on a
MySQL BE located on a network server.

How do i keep a user from simply creating a new empty access database and
importing the tables out of my BE by accessing the links to my tables that
are stored in my FE (i.e. the forms are grayed out but not the queries or
tables)?!!!!

For the most part, if they can get at the data, then they can take it.

If you 100% hide the access interface, then that usually keeps most users
out and they not be able to see the tables. In fact, often users will not
even know your application is written in access.

The above helps a lot, but savvy users could still import linked tables to
another database. If you really need to prevent this
you could setup workgroup security so they would not be able to import the
links to another database. If a user were to join the same workgroup they
might be able to import the tables but it would require users to have above
average (advanced) access skills.

I would as a 1st step simply hide the access interface.

Try downloading and running the 3rd example at my following web site that
shows a hidden ms-access interface (no code is required to do this....but
just some settings in the start-up).

Check out:

http://www.members.shaw.ca/AlbertKal...s/DownLoad.htm

After you try the application, you can exit, and then re-load the
application, but hold down the shift key to by-pass the start-up options. If
want, you can even disable the shift key by pass. I have a sample mdb file
that will let you "set" the shift key bypass on any application you want.
You can get this at:

http://www.members.shaw.ca/AlbertKal.../msaccess.html


--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada

Hi Albert,
Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note of
interest, I am being told by the IT people at the University here that they
don’t want us to put any sensitive data in Access. Since sensitive now days
is phone numbers, student ID#s, or even where I got a biological sample from,
it pretty much makes access useless for universities. I assume the business
world has the same problem. The user interface of Access is fantastic but the
security issues are going to kill them- unless you only want to store your
cooking recipes.

I will explore user level security and will talk with the computer folks
here at the university to see if there is some way to shield the FE from
users so they can rip off the back end.

If you hear of any way to stop someone from importing tables out of an
Access database (FE) with linked tables, please let me know- I am desperate.


"Albert D. Kallal" wrote:

For the most part, if they can get at the data, then they can take it.

If you 100% hide the access interface, then that usually keeps most users
out and they not be able to see the tables. In fact, often users will not
even know your application is written in access.

The above helps a lot, but savvy users could still import linked tables to
another database. If you really need to prevent this
you could setup workgroup security so they would not be able to import the
links to another database. If a user were to join the same workgroup they
might be able to import the tables but it would require users to have above
average (advanced) access skills.

I would as a 1st step simply hide the access interface.

Try downloading and running the 3rd example at my following web site that
shows a hidden ms-access interface (no code is required to do this....but
just some settings in the start-up).

Check out:

http://www.members.shaw.ca/AlbertKal...s/DownLoad.htm

After you try the application, you can exit, and then re-load the
application, but hold down the shift key to by-pass the start-up options. If
want, you can even disable the shift key by pass. I have a sample mdb file
that will let you "set" the shift key bypass on any application you want.
You can get this at:

http://www.members.shaw.ca/AlbertKal.../msaccess.html


--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada

"salmonella" wrote in message
...
Hi Albert,

Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note
of
interest, I am being told by the IT people at the University here that
they
don't want us to put any sensitive data in Access.

But you told me your data is in MySql. So, how does that effect ms-access???

Your secrity going to be setup on the MySql side of things.

What is stop a user from firing up excel and going data-Import External
data and pulling the data out of mysql?


If you hear of any way to stop someone from importing tables out of an
Access database (FE) with linked tables, please let me know- I am
desperate.


Yes, you can setup user level security and they not be able to import those
linked tables....

You can find the security faq for access he
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793


You not really mentioned how you setup the MySql security..but, if you
allowing users to read that data, then you might try the MySql newsgroups
for what they suggest, but for the most part your security issues will be
that of your database engine, in this case MySql. You not using ms-access to
store this data so secuirty really not an issue of ms-access, it is that of
mySql...


--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada

On Sat, 1 Nov 2008 11:09:01 -0700, salmonella wrote:

Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note of
interest, I am being told by the IT people at the University here that they
don’t want us to put any sensitive data in Access. Since sensitive now days
is phone numbers, student ID#s, or even where I got a biological sample from,
it pretty much makes access useless for universities.

Given that there are screen capture utilities and optical character
recognition software readily available...

If the user of your database can SEE the information in it, they can capture
it.

If the user of your database *cannot* see the information in it, the database
is useless (or the information should not be stored on any computer).

This is a bureaucratic issue. This is not an Access issue or even a technical
issue.
--

John W. Vinson [MVP]

Hi Albert and John,
I am not sure if I have not confused you both or if I just don’t get what
you are saying, so here it goes again….
A user uses a PW (not Access ULS, but my VB code) to log onto the FE, then,
depending on who the user is, I allow them different editing and viewing
rights for each record. So users are adding, editing or viewing only those
records that they have permission to. This all works very well and would, I
believe, be very secure if not for the problem below.
It appears that a property of Access is to allow one access database to
import data in linked tables from any other Access database. Therefore it
appears that Access, or even Excel, may be able to ‘ask’ my MySQL-linked FE
to have a copy of all the data in the BE tables it is linked to and my FE
then uses its ODBC connection and passwords to access and get the data for
this other access database. As far as I can tell, my security problem thus is
with Access and not MySQL since mysql is simply giving the information to my
FE, as it is supposed to, and it is my FE that is then giving the information
to the other database/excel (which I don’t want it to do but which seems to
be a property of Access). Thus what I need to know is if there is a utility,
etc. within Access that will allow my FE to deny a request from another
access database or excel to get it copies of tables and queries from my BE,
much in the same way that an MDE version of my FE will deny a similar request
from an access database for forms in my FE.

Yes I agree that there are always other ways for someone to steal data, such
as capturing screen shots, however, these sorts of things are not a ‘problem’
with what I am doing. Lastly, I am a GREAT fan of Access, as a biochemist and
someone who has never taken a single computer course, Access has proven
itself to me to be indispensable in my work. So, for the record, I, am not
knocking Access, I will not give up on Access, and I will get this bug worked
out to the satisfaction of the IT people.

Hope this makes more sense, and I am really hoping that I am making some
stupid little error and that there is a quick solution to this problem.


"John W. Vinson" wrote:

On Sat, 1 Nov 2008 11:09:01 -0700, salmonella wrote:

Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note of
interest, I am being told by the IT people at the University here that they
don’t want us to put any sensitive data in Access. Since sensitive now days
is phone numbers, student ID#s, or even where I got a biological sample from,
it pretty much makes access useless for universities.

Given that there are screen capture utilities and optical character
recognition software readily available...

If the user of your database can SEE the information in it, they can capture
it.

If the user of your database *cannot* see the information in it, the database
is useless (or the information should not be stored on any computer).

This is a bureaucratic issue. This is not an Access issue or even a technical
issue.
--

John W. Vinson [MVP]

Hi Albert and John,
I am not sure if I have not confused you both or if I just don’t get what
you are saying, so here it goes again….
A user uses a PW (not Access ULS, but my VB code) to log onto the FE, then,
depending on who the user is, I allow them different editing and viewing
rights for each record. So users are adding, editing or viewing only those
records that they have permission to. This all works very well and would, I
believe, be very secure if not for the problem below.
It appears that a property of Access is to allow one access database to
import data in linked tables from any other Access database. Therefore it
appears that Access, or even Excel, may be able to ‘ask’ my MySQL-linked FE
to have a copy of all the data in the BE tables it is linked to and my FE
then uses its ODBC connection and passwords to access and get the data for
this other access database. As far as I can tell, my security problem thus is
with Access and not MySQL since mysql is simply giving the information to my
FE, as it is supposed to, and it is my FE that is then giving the information
to the other database/excel (which I don’t want it to do but which seems to
be a property of Access). Thus what I need to know is if there is a utility,
etc. within Access that will allow my FE to deny a request from another
access database or excel to get it copies of tables and queries from my BE,
much in the same way that an MDE version of my FE will deny a similar request
from an access database for forms in my FE.

Yes I agree that there are always other ways for someone to steal data, such
as capturing screen shots, however, these sorts of things are not a ‘problem’
with what I am doing. Lastly, I am a GREAT fan of Access, as a biochemist and
someone who has never taken a single computer course, Access has proven
itself to me to be indispensable in my work. So, for the record, I, am not
knocking Access, I will not give up on Access, and I will get this bug worked
out to the satisfaction of the IT people.

Hope this makes more sense, and I am really hoping that I am making some
stupid little error and that there is a quick solution to this problem.


"Albert D. Kallal" wrote:

"salmonella" wrote in message
...
Hi Albert,

Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note
of
interest, I am being told by the IT people at the University here that
they
don't want us to put any sensitive data in Access.

But you told me your data is in MySql. So, how does that effect ms-access???

Your secrity going to be setup on the MySql side of things.

What is stop a user from firing up excel and going data-Import External
data and pulling the data out of mysql?


If you hear of any way to stop someone from importing tables out of an
Access database (FE) with linked tables, please let me know- I am
desperate.


Yes, you can setup user level security and they not be able to import those
linked tables....

You can find the security faq for access he
http://support.microsoft.com/default.aspx?scid=kb;[LN];207793


You not really mentioned how you setup the MySql security..but, if you
allowing users to read that data, then you might try the MySql newsgroups
for what they suggest, but for the most part your security issues will be
that of your database engine, in this case MySql. You not using ms-access to
store this data so secuirty really not an issue of ms-access, it is that of
mySql...


--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada

"salmonella" wrote in message
...


It appears that a property of Access is to allow one access database to
import data in linked tables from any other Access database.

And the same as for excel, word, power-point and anything else you use. The
problem here is what's to stop the person from using excel and importing
data directly from MySql? We NOT talking about using excel to get data from
an access database we talking about using Excel to grab the data from MySql
(Excel can use odbc to MySql here).

linked to and my FE
then uses its ODBC connection

Are you using a DSN here? Excel and word can use that same dsn, and will not
have to bother with ms-access to connect and import the data.

Thus what I need to know is if there is a utility,
etc. within Access that will allow my FE to deny a request from another
access database

There is not a utility, but you choose to not read my last post. I said you
can setup ULS to prevent users from importing the tables (or linked" tables)
into other access applications.

much in the same way that an MDE version of my FE will deny a similar
request
from an access database for forms in my FE.

Well, users can still open up the mde with a text editor, and the passwords
if hard coded will be in plain sight.

As I said, if you setup access user level security then users can't import
anything to another file but they can still open up the mde file with a text
editor. You not talking about copying data here, but only "links". If you
save table links in your c++ application, then I can still open up that
application with a text editor and see your passwords....

If you looking to build a high security application then a simple desktop
application like ms-access is not going to be the correct tool at all.

--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada

I can't speak for MySQL, but with MS SQL you can set the users who are
allowed to get information from the database.

If the user (not the database) does not have permissions to get
information from the database (where the data is stored) they will not
be able to get the data.

If you have designed an Access front-end that is linked to MySql and the
link embeds the a user-id and password, then you do have a hole in your
security.

On the other hand if you use windows authentication with MS SQL server
the hole is NOT there and cannot be exploited.

In other words I agree with John and Albert. The problem is not with
Access. It is with the security settings on the database server. How
does mySql control permissions and access to the data it stores?

'================================================= ===
John Spencer
Access MVP 2002-2005, 2007-2008
The Hilltop Institute
University of Maryland Baltimore County
'================================================= ===

Apparently both you and the security people at your university need to learn
a bit about how front-end and back-end databases work. According to your
first post, your data is not "in Access" but stored in your backend "MySQL"
database, which, I am reasonably certain, has security features that you can
use.

I've used backend databases in Microsoft SQL Server, Informix, and various
Sybase databases and the server database, in each case, had strong security
which was used to protect the data. Each user, when they logged in to the
application (the front-end user interface in Access) would be asked for
their password when they first accessed the server, and that password and
the user's userid would be used for the remainder of the session.

Security in databases done with Access with data stored in the default Jet
database engine (and now the default ACE database engine in Access 2007) has
never been a strong point. However, you can use Microsoft SQL Server -- now
available in a free Express Edition which will support a modest number of
concurrent users and has strong security as does the full edition.

For learning Access, for developing applications to later use senstive data,
and for applications handling non-sensitive data, Access and Jet/ACE are
excellent. For sensitive data, I have always found it trivially simple to
convert the database to link to tables in a backend database for which
security is a strong point (and, that would be "most of them") to store
data.

Larry Linson
Microsoft Office Access MVP

"salmonella" wrote in message
...
Hi Albert,
Thanks for the reply. I have already removed the toolbar/menu and disabled
the bypass key and, I believe, have the FE locked down- except for this
problem. Microsoft needs to deal with their security problems. Just a note
of
interest, I am being told by the IT people at the University here that
they
don't want us to put any sensitive data in Access. Since sensitive now
days
is phone numbers, student ID#s, or even where I got a biological sample
from,
it pretty much makes access useless for universities. I assume the
business
world has the same problem. The user interface of Access is fantastic but
the
security issues are going to kill them- unless you only want to store your
cooking recipes.

I will explore user level security and will talk with the computer folks
here at the university to see if there is some way to shield the FE from
users so they can rip off the back end.

If you hear of any way to stop someone from importing tables out of an
Access database (FE) with linked tables, please let me know- I am
desperate.


"Albert D. Kallal" wrote:

For the most part, if they can get at the data, then they can take it.

If you 100% hide the access interface, then that usually keeps most users
out and they not be able to see the tables. In fact, often users will not
even know your application is written in access.

The above helps a lot, but savvy users could still import linked tables
to
another database. If you really need to prevent this
you could setup workgroup security so they would not be able to import
the
links to another database. If a user were to join the same workgroup they
might be able to import the tables but it would require users to have
above
average (advanced) access skills.

I would as a 1st step simply hide the access interface.

Try downloading and running the 3rd example at my following web site that
shows a hidden ms-access interface (no code is required to do this....but
just some settings in the start-up).

Check out:

http://www.members.shaw.ca/AlbertKal...s/DownLoad.htm

After you try the application, you can exit, and then re-load the
application, but hold down the shift key to by-pass the start-up options.
If
want, you can even disable the shift key by pass. I have a sample mdb
file
that will let you "set" the shift key bypass on any application you want.
You can get this at:

http://www.members.shaw.ca/AlbertKal.../msaccess.html


--
Albert D. Kallal (Access MVP)
Edmonton, Alberta Canada