OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Securing a database
From: Ian Grech (IGrechDMICROS.COM.MT)
Date: Thu Nov 30 2000 - 01:08:14 CST

I completely agree that SQL Server is much better suited for secure DB's,
however, one must consider the client needs (and his budget).

I once was on a list on LISTSEREVR somewhere relating to Access and someone
posted a url for a Seucring an Access DB FAQ. I realy don't have the FAQ or
the URL, but the morale of this story is that I think you're better off
asking this question to an Access programmer who knows his baby inside out.
(or else look at some Access websites)

As someone in this stream has already commented, the solution lies in using
the Access Workgroups.

Sorry of not being of much real help, but hope the pointer helps.

Ian Grech

> -----Original Message-----
> From: Talisker [SMTP:TaliskerNETWORKINTRUSION.CO.UK]
> Sent: Wednesday, November 29, 2000 23:01
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Securing a database
>
> I'd just like to reinforce the go to a better Database server argument, I
> find the main argument against this is that an influential person in the
> orgainisation knows a certain product and is reluctant to shift - if this
> is
> the case SQL is still an option, I'm a little rusty but I think SQL 2000
> (and possibly SQL 7) has a good MS Access import wizard and you can still
> use Access as a frontend (I said that with a DBA head not a security head)
>
> I'll have to dig out my course notes at work tomorrow
>
> Take Care
> Andy
> http://www.networkintrusion.co.uk
> Talisker's Network Security Tools List
> '''
> (0 0)
> ----oOO----(_)----------
> | The geek shall |
> | Inherit the earth |
> -----------------oOO----
> |__|__|
> || ||
> ooO Ooo
> taliskernetworkintrusion.co.uk
>
> The opinions contained within this transmission are entirely my own, and
> do
> not necessarily reflect those of my employer.
>
>
>
>
>
> ----- Original Message -----
> From: "Deus, Attonbitus" <ThorHammerofGod.Com>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Tuesday, November 28, 2000 11:38 PM
> Subject: Re: Securing a database
>
>
> > If you can, talk your client into using SQL Server - Your security
> options
> > there are only limited to your imagination.
> >
> > If that is a no go and you MUST use Access, encrypt the data in the
> > database, not the database itself and keep the key in the front end app.
> > Then you won't have to worry about securing the database from other
> > processes once it is decrypted (which you really won't be able to do
> anyway
> > if people know what they are doing).
> >
> > "Applied Cryptography" has C++ code examples of different algorithms you
> can
> > use to do this- it all depends on how secure it really must be (as
> apposed
> > to how secure it must LOOK). I'm sure that speed will also be a factor,
> so
> > you may end up XOR'ing the data to give the illusion of security to the
> > client while maintaining descent data access speeds. The XOR will be
> > Trivial+1 to break (to a cryptanalyst) depending on how you do it, but
> might
> > suit to make the casual cracker shrug and walk away. Are you securing
> 1001
> > recipes using A-1 Steak Sauce or the names of the CIA's field operatives
> in
> > Bosnia?
> >
> > SQL would make your life WAY easier, would cost the client far less
> money
> > (assuming you charge for your programming services), and would leave the
> > client in a better position to scale.
> >
> > ---------------------------------------------------------
> > Attonbitus Deus
> > thorhammerofgod.com
> >
> >
> > ----- Original Message -----
> > From: Stuart Stein
> > To: FOCUS-MSSECURITYFOCUS.COM
> > Sent: Tuesday, November 28, 2000 8:55 AM
> > Subject: Securing a database
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I am creating a database for a client, the database has to be done in
> > MS-ACESS 2000 and is to be accessed through a front-end programmed in
> > Visual Basic.
> >
> > There are to be levels of access in the database, read the data,
> > change the data, delete data and administrator. The administrator has
> > the ability to change the levels of access of other users.
> >
> > The problem is the database is not to be accessible without using the
> > front end, this means the database will have to be encrypted and then
> > decrypted when the front end is run (which will obviously have to be
> > always at front and not allow access to other programs through
> > ALT-TAB etc) then re-encrypted when the front-end exits.
> >
> > When the front end is run and the database decrypted the user will
> > have to log on to the system with a username / password. Then
> > depending on the password privalages will be set.
> >
> > The database will be on a single machine, but has to be able to be
> > copied along with the front end so it can be distributed. This is
> > obviously going to cause problems with different databases being out
> > of date etc. We have tried to explain this but its the way they want
> > it.
> >
> > They are saying that there will only ever be one copy being passed
> > around various machines.
> >
> > Any ideas of how this could be implemented, what encryption could be
> > used. Is it even possible using visual basic.
> >
> > Sorry if this is a bit lengthy, but I am a tad stuck on ideas to
> > implement this.
> >
> > Thanks for your time.
> >
> > Regards
> >
> > Stuart Stein
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBOiPjZ6Owf/4dm3zdEQLAQwCePfLwcUcK8PymbjeqR4zKDdiPSOQAoPLp
> > f12PpxdzqQFiB9zavII2LiPU
> > =uqXq
> > -----END PGP SIGNATURE-----
> >