Can It Be Done? - MDB Security

Hi

Basically i need to prevent users from Copying/Moving/Deleting a MS Access
database from it's current location.

the users need Read/Write access in order to update the records within the
database.

So, is it possible for me to prevent Copying/Moving/Deleting of the actual
file (not the records within it)?

any help would be great.

Thanks

Jado

Hi,

You can try setting NTFS access on the file to deny the users "All"

--
--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
tutorial site :-)
http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out
here
Only reply by newsgroup. I do not do technical support via email. Any
emails I have not authorized are deleted before I see them.


"Jado" <(E-Mail Removed)> wrote in message
news:%23$(E-Mail Removed)...
> Hi
>
> Basically i need to prevent users from Copying/Moving/Deleting a MS Access
> database from it's current location.
>
> the users need Read/Write access in order to update the records within the
> database.
>
> So, is it possible for me to prevent Copying/Moving/Deleting of the actual
> file (not the records within it)?
>
> any help would be great.
>
> Thanks
>
> Jado
>
>

Hi
could you be a little bit more specific as there is no 'All' option that i
can see in NTFS. i'm using Win2000 Server.

do you mean 'Full control' ?

i've been playing around, but i can still copy the mdb file to my local
system.
are you sure it is possible?


Thanks
Jado

"Jonathan Maltz [MS-MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> You can try setting NTFS access on the file to deny the users "All"
>
> --
> --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
> http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> tutorial site :-)
> http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find
out
> here
> Only reply by newsgroup. I do not do technical support via email. Any
> emails I have not authorized are deleted before I see them.
>
>
> "Jado" <(E-Mail Removed)> wrote in message
> news:%23$(E-Mail Removed)...
> > Hi
> >
> > Basically i need to prevent users from Copying/Moving/Deleting a MS
Access
> > database from it's current location.
> >
> > the users need Read/Write access in order to update the records within
the
> > database.
> >
> > So, is it possible for me to prevent Copying/Moving/Deleting of the
actual
> > file (not the records within it)?
> >
> > any help would be great.
> >
> > Thanks
> >
> > Jado
> >
> >
>
>

Copying it doesn't prove anything. Copying only requires read-only
permission. You are *not* going to be able to do what you wish. Any
permission that allows the file to be written to will also allow it to be
moved or deleted.

You either need to write a separate interface (a "front-end") for the
database which requires a very high level of programming skills ($$$) then
only the interface has permission to write to the file, and the interface
will have built into it the security features to allow the users to only do
what they need.

The other solution is to migrate the data to an SQL Database. It is
possible to use the Access MDB file to create a "front-end" to the SQL
Database, otherwise you would have to write one youself.

The third option is to educate the users on how to not screw things up and
keep doing it the way you are doing it. Make daily backups of the MDB file
(just make a new copy of it somewhere,...like a CD).


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Jado" <(E-Mail Removed)> wrote in message
news:%23ppIKD%(E-Mail Removed)...
> Hi
> could you be a little bit more specific as there is no 'All' option that i
> can see in NTFS. i'm using Win2000 Server.
>
> do you mean 'Full control' ?
>
> i've been playing around, but i can still copy the mdb file to my local
> system.
> are you sure it is possible?
>
>
> Thanks
> Jado
>
> "Jonathan Maltz [MS-MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > You can try setting NTFS access on the file to deny the users "All"
> >
> > --
> > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
> > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> > tutorial site :-)
> > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find
> out
> > here
> > Only reply by newsgroup. I do not do technical support via email. Any
> > emails I have not authorized are deleted before I see them.
> >
> >
> > "Jado" <(E-Mail Removed)> wrote in message
> > news:%23$(E-Mail Removed)...
> > > Hi
> > >
> > > Basically i need to prevent users from Copying/Moving/Deleting a MS
> Access
> > > database from it's current location.
> > >
> > > the users need Read/Write access in order to update the records within
> the
> > > database.
> > >
> > > So, is it possible for me to prevent Copying/Moving/Deleting of the
> actual
> > > file (not the records within it)?
> > >
> > > any help would be great.
> > >
> > > Thanks
> > >
> > > Jado
> > >
> > >
> >
> >
>
>

Hi,

Yes, Full. If you want to be completely secure, then NTFS-lock the folder
against "Everyone" then give only the users that need access permission to
enter. Then any regular user won't be able to access the folder

--
--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
tutorial site :-)
http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out
here
Only reply by newsgroup. I do not do technical support via email. Any
emails I have not authorized are deleted before I see them.


"Jado" <(E-Mail Removed)> wrote in message
news:%23ppIKD%(E-Mail Removed)...
> Hi
> could you be a little bit more specific as there is no 'All' option that i
> can see in NTFS. i'm using Win2000 Server.
>
> do you mean 'Full control' ?
>
> i've been playing around, but i can still copy the mdb file to my local
> system.
> are you sure it is possible?
>
>
> Thanks
> Jado
>
> "Jonathan Maltz [MS-MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > You can try setting NTFS access on the file to deny the users "All"
> >
> > --
> > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
> > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> > tutorial site :-)
> > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find
> out
> > here
> > Only reply by newsgroup. I do not do technical support via email. Any
> > emails I have not authorized are deleted before I see them.
> >
> >
> > "Jado" <(E-Mail Removed)> wrote in message
> > news:%23$(E-Mail Removed)...
> > > Hi
> > >
> > > Basically i need to prevent users from Copying/Moving/Deleting a MS
> Access
> > > database from it's current location.
> > >
> > > the users need Read/Write access in order to update the records within
> the
> > > database.
> > >
> > > So, is it possible for me to prevent Copying/Moving/Deleting of the
> actual
> > > file (not the records within it)?
> > >
> > > any help would be great.
> > >
> > > Thanks
> > >
> > > Jado
> > >
> > >
> >
> >
>
>

Wouldn't you want to just remove Everyone from the list rather than
explicitly "deny" them? Doing that would deny all users since all users are
part of Everyone and this "explicit deny" would over-ride other permissions.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Jonathan Maltz [MS-MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> Yes, Full. If you want to be completely secure, then NTFS-lock the folder
> against "Everyone" then give only the users that need access permission to
> enter. Then any regular user won't be able to access the folder

If you do that then you need to make sure the permissions from the parent
directory don't carry over

--
--Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
tutorial site :-)
http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out
here
Only reply by newsgroup. I do not do technical support via email. Any
emails I have not authorized are deleted before I see them.


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> Wouldn't you want to just remove Everyone from the list rather than
> explicitly "deny" them? Doing that would deny all users since all users
are
> part of Everyone and this "explicit deny" would over-ride other
permissions.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "Jonathan Maltz [MS-MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi,
> >
> > Yes, Full. If you want to be completely secure, then NTFS-lock the
folder
> > against "Everyone" then give only the users that need access permission
to
> > enter. Then any regular user won't be able to access the folder
>
>

On Thu, 27 May 2004 14:00:05 -0500, "Phillip Windell" <@.> wrote:

>Wouldn't you want to just remove Everyone from the list rather than
>explicitly "deny" them? Doing that would deny all users since all users are
>part of Everyone and this "explicit deny" would over-ride other permissions.

Everyone is a group, it's not "Every account on the system" so neither
removing Everyone from access or specifically denying Everyone will
actually stop every account from accessing the file.

But the real basis for the Deny is that a user may be a member of
another group that has explicit or inherited permissions to the
file/folder in question. With a Deny, everyone is denied access
explicitly. Which may again not be what is intended, since Everyone
is just a group anyway.

Better is to remove all access to the file/folder except for
administrators and the user in question. Watch for inherited rights
that may not be obvious. Put the users in a qroup that is allowed
access, then use the group account for access, that way changing
access is simply adding or removing users from the group.

Jeff

Thanks All

Looks like SQL Server is the only way to achieve what i'm after.

Jado

"Jeff Cochran" wrote in message
news:(E-Mail Removed)...
: On Thu, 27 May 2004 14:00:05 -0500, "Phillip Windell" <@.> wrote:
:
: >Wouldn't you want to just remove Everyone from the list rather than
: >explicitly "deny" them? Doing that would deny all users since all users
are
: >part of Everyone and this "explicit deny" would over-ride other
permissions.
:
: Everyone is a group, it's not "Every account on the system" so neither
: removing Everyone from access or specifically denying Everyone will
: actually stop every account from accessing the file.

Which accounts are not part of the Everyone group and how do you modify who
is and is not part of the Everyone group?

: But the real basis for the Deny is that a user may be a member of
: another group that has explicit or inherited permissions to the
: file/folder in question. With a Deny, everyone is denied access
: explicitly. Which may again not be what is intended, since Everyone
: is just a group anyway.

Everyone is an internal group and it should NOT be used. Windows 2003 made
a specific change to the Everyone group to remove the anonymous user but
"best practices" still should be to NOT use the Everyone group and instead
use Domain Users or a group for which you have complete control over.

If a user is part of multiple groups that have different levels of access,
the least restrictive rights is the effective right unless any group has no
access selected.

: Better is to remove all access to the file/folder except for
: administrators and the user in question.

Administrator's group, the group in question and the SYSTEM user. File
system rights should never be assigned at the user level even if only one
user is in the group except for the SYSTEM user.

: Watch for inherited rights
: that may not be obvious.

Inherited rights should be removed in this case. Allowing inherited rights
may change effective rights in the future.

: Put the users in a qroup that is allowed
: access, then use the group account for access, that way changing
: access is simply adding or removing users from the group.

I just said that! (O:=

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/service...p?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default...b;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default...b;EN-US;291382