Results 1 to 14 of 14
  1. #1
    Join Date
    Jun 2007
    Posts
    6

    Red face Unanswered: Security in Access 2003 - Custom Workgroup Information Files

    Hello,

    I am hoping that someone may be able to help clarify a problem I am having with MS Access Security.

    Basically, I have created a custom workgroup information file, which I then used to secure a database. The custom Workgroup Information File (WIF) is now loaded as default when Access starts.

    My understanding is that now, when I open an unsecured database, I should still be able to get straight in as Access will automatically authenticate the default Admin user that still exists in my custom WIF. However, when I try to open an unsecured database, I get prompted to Logon. If I type in 'Admin' with no password, the unsecured database will not let me in.

    I may be missing something fairly obvious here but I was under the impression that all unsecured databases could be opened by any WIF as the default Admin user with blank password is the same in all WIF files.

    I am happy to provide more specific information regarding the setup of the particular databases in question, but am hoping that I have just missed something obvious.

    Any advice would be much appreciated as I am struggling to get my head round this problem.

    Thanks very much.

  2. #2
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Quote Originally Posted by Savo
    I was under the impression that all unsecured databases could be opened by any WIF as the default Admin user with blank password is the same in all WIF files.
    That doesn't sound very secure to me?!
    Unsecured databases by definition don't have a workgroup file.
    It sounds like you're under the impression that any database that has been secured could be opened with the username of "Admin" with no password - wouldn't knowing this be enough to invalidate any security implementations?

    Also, I believe that you cannot just chop and change workgroup files - they are specifically linked to databases and can't just be dragged and dropped and expected to work. Think how this would affect security! I could create my own workgroup file and overwrite any existing one and bobs-yer-uncle I'd be in... Sounds far too easy in my opinion.

    Hope this helps
    George
    Home | Blog

  3. #3
    Join Date
    Jun 2007
    Posts
    6
    Hi

    Thanks for the reply. I might not have explained the problem very clearly.

    I was under the impression that all databases use a workgroup file - irrespective of whether they have been secured as the Microsoft Help Guide says that Access validates all unsecured database logins against the default System.mdw file.

    I understand that the Admin cannot just log into any secured database (assuming the database has been secured correctly), however, I would assume that the Admin used from a secured WIF would still be allowed access into an unsecured database as it still has all the credentials required to open an unsecured mdb file.

    In terms of chopping and ghanging workgroup files, I understand that secured mdb files can only be opened using the WIF file used to create them, I am just confused why my custom WIF file will not let me into unsecured databases as the Admin user.

    Apologies if my original post was unclear and thanks for getting back so quickly.

    If anyone can shed any further light on this problem I'd be grateful.

    Thanks.

  4. #4
    Join Date
    Dec 2004
    Location
    Madison, WI
    Posts
    3,926
    Does this help any?
    http://support.microsoft.com/kb/266769

    It talks about creating a workgroup mdw file and profile. Not sure if that's what you're getting at.
    Expert Database Programming
    MSAccess since 1.0, SQL Server since 6.5, Visual Basic (5.0, 6.0)

  5. #5
    Join Date
    Sep 2003
    Location
    MI
    Posts
    3,713
    Clarification:

    If you set up a workgroup file as the DEFAULT for that machine, any and ALL DB's opened on that machine will use that security. If you open an Access db with a specific workgroup file "in-line", then that security file will override the machine-wide security.

    As we all know, the WorkGroup Adminstrator app set the default security file for the pc ...

    Also, 2 things, IF you have the default security file set then any dbs with custom security files will use those for entry (and bark if they cannot be found) and if you have the Admin password set, then you'll get the login prompt popping up ...
    Back to Access ... ADO is not the way to go for speed ...

  6. #6
    Join Date
    Jun 2007
    Posts
    6
    Hi,

    Thanks for the replies.

    If you set up a workgroup file as the DEFAULT for that machine, any and ALL DB's opened on that machine will use that security. If you open an Access db with a specific workgroup file "in-line", then that security file will override the machine-wide security.

    As we all know, the WorkGroup Adminstrator app set the default security file for the pc ...
    Ok, I understand that - I have set the default Workgroup to be my custom Workgroup file usijng workgroup administrator so that will be used to open any databases unless I use a command line argument in a desktop shortcut to override it.

    The problem is coming up when I try to open an UNSECURED database while my custom workgroup loaded as default. There is no Admin password in place in the WIF, so I would have expected the unsecured database to look at my custom default WIF and logon with the default Admin/blank password combination as the unsecured database will still have full permissions granted to Admin.

    Sorry if I'm not explaining it very clearly, I'm having trouble getting my head round it enough to explain it !

    Thanks again for your replies guys and if anyone can clarify further then please do.

    Thank you

  7. #7
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    Id sugesst never ever let any app use the 'admin' user account.

    any user has automatic rights to any object (& DB) they create

    make any user authenticate to the access (there are some smarter alternatives in my view [such as using the network logon, use null passwords but allocate the network logon the group accounts needed for each app], but they may be a layer above where your at at present).

    If you are going down the workgroup security route, then read the Access security FAQ (several times, and weekly until you fully understand it).
    > there is no reason not to authenticate users, so a password should be acceptable, failing that force the application you want to open as a shortcut and explicitly specify the workgroup there. if you go down that route existing users of access will not be affected by wahtever you do. they can continue to use the default system MDW workgroup file. it also helps as each time your network trolls tinker with tthe office installation you wont have to get each user to reassoicate with the workgroup file. if you do go down this route you need to put some code in your app that kicks out people trying to open your secured app with the default workgroup. if they claim to be admin..... boot 'em out of the app.
    > make sure take frequent regular backups, especially before tinkering with permissions, encrypting to MDE [but you do that already dont you...])
    I'd rather be riding on the Tiger 800 or the Norton

  8. #8
    Join Date
    Sep 2003
    Location
    MI
    Posts
    3,713
    Quote Originally Posted by Savo
    Hi,

    Thanks for the replies.



    Ok, I understand that - I have set the default Workgroup to be my custom Workgroup file usijng workgroup administrator so that will be used to open any databases unless I use a command line argument in a desktop shortcut to override it.

    The problem is coming up when I try to open an UNSECURED database while my custom workgroup loaded as default. There is no Admin password in place in the WIF, so I would have expected the unsecured database to look at my custom default WIF and logon with the default Admin/blank password combination as the unsecured database will still have full permissions granted to Admin.

    Sorry if I'm not explaining it very clearly, I'm having trouble getting my head round it enough to explain it !

    Thanks again for your replies guys and if anyone can clarify further then please do.

    Thank you
    What is your question? You're explaining but not asking ... What problem are you trying to solve?

    With your custom wif in effect, does your unsecured db prompt for a password?
    Back to Access ... ADO is not the way to go for speed ...

  9. #9
    Join Date
    Jun 2007
    Posts
    6
    Thanks again for replying. Sorry if my explanation is a bit vague.

    With your custom wif in effect, does your unsecured db prompt for a password?
    Yes, with my custom WIF in effect, I get prompted for a username & password. If I enter 'Admin' with a blank password, the unsecured database says that this is not a valid user name/password. As the 'Admin' user in my custom WIF still exists and does not have a password, surely the unsecured database should just allow the 'Admin' user to log in ?

    What is your question? You're explaining but not asking ... What problem are you trying to solve?
    I am trying to use my custom WIF as the default WIF in Access but still be able to log into unsecured databases using the 'Admin' user.

    Hope this helps clarify the problem. If not, I can post the specifics of what I have done in full if that would help?

    Thanks again for the replies.

  10. #10
    Join Date
    Sep 2003
    Location
    MI
    Posts
    3,713
    Hold on ... Just a new thought. Does the security file that the unsecured db was created with reside on your pc? If it does, then THAT's the file it uses for security ... I forgot that little bit. Likewise anytime you have the Amin accout's password set, then you'd get the login prompt ...
    Back to Access ... ADO is not the way to go for speed ...

  11. #11
    Join Date
    Dec 2004
    Location
    Madison, WI
    Posts
    3,926

    mdw

    I've used this to some success for getting mdw passwords (if it's any help.)
    Attached Files Attached Files
    Expert Database Programming
    MSAccess since 1.0, SQL Server since 6.5, Visual Basic (5.0, 6.0)

  12. #12
    Join Date
    Jun 2007
    Posts
    6
    Does the security file that the unsecured db was created with reside on your pc? If it does, then THAT's the file it uses for security ... I forgot that little bit. Likewise anytime you have the Amin accout's password set, then you'd get the login prompt ...
    Yes, the security file that the unsecured database was created with does reside on my PC (it was created with the default unmodified system.mdw file).

    Apologies if I'm asking a stupid question now, but how does that cause a problem? I thought that when the custom.mdw file was loaded that the unsecured database would look at whichever worgroup file is active, and as my custom WIF has an Admin user in it (as it's not possible to delete Admin), that it would just allow the login??

    Sorry for being a nuisance - your help is much appreciated.

  13. #13
    Join Date
    Sep 2003
    Location
    MI
    Posts
    3,713
    Quote Originally Posted by Savo
    Yes, the security file that the unsecured database was created with does reside on my PC (it was created with the default unmodified system.mdw file).

    Apologies if I'm asking a stupid question now, but how does that cause a problem? I thought that when the custom.mdw file was loaded that the unsecured database would look at whichever worgroup file is active, and as my custom WIF has an Admin user in it (as it's not possible to delete Admin), that it would just allow the login??

    Sorry for being a nuisance - your help is much appreciated.
    It's not causing a problem per se, but it explains the behaviour you're seeing ... Per my comment: Access prefers to use the mdw file that was used during the creation of the db in question ... How access resolves different security file instances internally is beyond my knowledge ...
    Back to Access ... ADO is not the way to go for speed ...

  14. #14
    Join Date
    Jun 2007
    Posts
    6

    Smile

    Ok, no problem. I can set Access to call the relevant WIF file using a command line in a desktop shortcut anyway, I was just trying to get my head around this issue as the behaviour I was experiencing seemed to contradict what I had read in tutorials etc.

    Thanks again for your help and thanks to everyone else who posted replies.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •