I have a site that is hosted using a Brinkster free account. My site has user accounts, that require passwords, and I'm worried it may be possible for visitors to the site to figure out how to get to and access the MS Access database that stores all the information and passwords of users. What would you recommend me do to make my site more secure, either through my ASP code or otherwise; bearing in mind I cannot configure the Server software or anything.
Thanks

You're free to have a nose at my site and send me any comments:
gamewize.tk (http://www.gamewize.tk)

Cheers dude, I'm only on the most basic Freebie version of their hosting so they're most likely to turn round and say "database protection dont come with the standard account". My only worry was that someone could download one of my ASP files, and see the path of the database from there and download it. I dont get a 403.2 error, but I will put it to them to see what they say.
Thanks again

Hi,
don't know if you already did this but i would suggest to remove the default guest account from your access database and create a secure password and username, this way even at a long shot they did get your database the would still need a username and password to access it, if you need any help doing this i can post you some info.

The database did download (sometimes I use that way to easily download my database for maintainance), and I've since sent an email to Brinkster to enquire. Surely it would be possible for a user to use a program like GetRight to download one of my ASP files, and then view the code using Notepad etc? (I have a wicked mind, I can see how people might get round things).

Regarding the guest account etc I would need some code and examples for that if you would be so kind, I've gotten as far as password protecting my database, however I dont know (and couldn't find) any ASP code or whatever that means my pages can use the database.

This is a good forum, cheers guys for the help!

GetRight is a resumable download program, which allows you to enter a URL to download a file. I have tested and have found that I can download one of my ASP files from my server using this program, and view the source quite easily; which is a bit worrying!!

Ok, alright. I must have mistaken my code when I downloaded one of my asp files previously. I've tried your file, and a mixture of mine and I can't view the code. Point made; I feel a lot safer now!

With regards to password protecting my database, how could I do this? I need the SQL code, which I cannot find anywhere!

Many thanks again

ok, will do!

Hi,
The reason you can’t find any script is because it’s not a script you need to secure access in the way I suggested. The way security works in Access is through your data database and your user database. The data database is the database with your tables, queries, forms, reports, macros and modules. The user database stores user names passwords, identifiers, groups and group membership information. All the user database does is validate a user and a password and provides specific permissions within itself. Security is always on in Access. You don’t see and login because by default you are logging-in as the default administrator without a password. So you need to remove the privileges of the default account since this account is available to any Access installation.
There are 8 steps to doing this:

Step 1 Create a New User Database:

As mentioned above, the user database is where the logins for the database are stored. You need to create a new user database and then use that database to secure your own data database. To do this you need to use the tool that comes with access called the Microsoft Access Workgroup Administrator.
This tool is not usually on your shortcut menu so you will have to browse to find it. Normally there is a shortcut for the tool in the Microsoft Office directory, but you can also just search for the name of the file, which is WRKGADM.EXE.
You want to create and join a new user database, so when you start this application you want to press create you should then see a box with Workgroup Owner Information and 3 fields to complete.
From this dialog box you want to supply a name for your user database. Then supply the organization and workgroup ID that you want to call the user database, when your finished you click OK.
Next, supply the location where you want to create this user database and the name of the file. Press Ok when you have the file name and location complete. You are then prompted to confirm all the information you just supplied. If the information is correct, press OK button. It should tell you that you have successfully create and joined the new user database.

Step 2 Getting the Login Box to Appear:

When you enter Access security is on even though you don’t log in. The reason a login box doesn’t appear is because the default account that you are logging in through does not have a password. In this step you need to change that.
Launch Access and don’t open a database. Using the menu, select Tools – Security – User and Group Accounts. Switch to the Change logon Password tab.
The old password for the admin account should be left blank. That is why you weren’t required to log in to Access before. Provide a new password for the Admin account and press the OK button. Now close Access and restart it. You should be prompted for a Name and Password. Supply the Admin for the name and the password you supplied for that account.

Step 3 Create a New Admin:

The default Admin that you normally login through is an account available with every installation of Access. Even if you change the password in your own copy of the user database like you did in the last step, someone can take your database and place it on a different computer and use the default Admin account without a password to access your database so you need to create a new Admin.
Launch Access and again, don’t open a database. From the menu saelect Tools – Security and Group Accounts. Select the Users tab. You need to add a new administrator, so press the New button. Supply the new administrator with a name and an identifier. The new administrator needs to belong to the Admins group. So, next highlight the Admins group in the Available Groups list and press Add button. Press the OK button and the newAdmin account is created. But the account doesn’t have a password since all new accounts are created without a password. So close Access and restart it. This time, login as the new administrator that you just created and leave the password field blank. Once again, don’t open a database. Go straight to the Tools – Security – User and Group Accounts. Select the Change Logon Password tab and you should see that the current account is the NewAdmin account. For the old password just leave it blank since this is a new user. Then supply a new password for the NewAdmin.

Step 4 Removeing the Admin from the Admins Group:

Unfortunately, you cannot just delete the original Admin account, however you can remove the Admin for the Admins group so that the account won’t be able to mange new databases. Login to the database as the NewAdmin account. Don’t open a database, as before just go to the Tools – Security – User and Group Accounts menu option. From the Users tab, under name, seclect Admin. Then in the Member of List, highlight the Admmins group and click Remove.

Step 5 Taking Ownership of the Insecure Database:

Since the original database was created with the default Admin account in an unsecured environment, there is no way of removing ownership of that database from the Admin account. So, you need to create a new database and import all the objects from the unsecured database into the new database. Then, at some point, you may want to remove or delete the unsecured database. Make sure you are logged in as the NewAdmin and create a new database. Then from the file menu select Get External Data – Import. The browse to the location that contains the unsecured database. You will then be presented with the Import Objects dialog. From this dialog, select all the Tables, Queries, Forms, Reports, Macros and Modules that you want to be part of your secured database. On the tables tab, make sure that you are importing the definition and data.

Step 6 Remove Privileges to the secure database:

|So far you have created a new administrator, assigned it to Admins group and removed the Admin for the Admins group. You have created a secure database and imported objects into that database. But the Admin user is in the users group, which still has privileges for this database. You need to remove those privileges.
Login io Access as the NewAdmin and open the secured database. Now, from the menu select Tools – Security – User and Group Permissions. Under list, select Groups. Then, in the User/Group Name list, select Users. Set the Object Type to Database and uncheck all the Permissions that are checked. Press the Apply button.
The old Admin should now not be able to access this database. To test your security, leave Access and reenter as the original Admin. Then try to open the newly secure database. You should get and error explaining that you do not have permissions on this database.

Step 7 Encrypting the Database:

The database is now secure from entry, but one problem still remains. Access internally stores most of the data in the database as raw text. So someone could still easily see the contents of your database by looking at them through a text editor. The last step in securing the database is to encrypt it.
Login to Access as the NewAdmin and open your secured database. From the menu, select Tools – Security – Encrypt/Decrypt Database. Then browse to the database that you want to encrypt and then supply a name for the encrypted database.

Step 8 Additional Users:

You should now have a secure database that can be accessed by a single user only. You can stop there and then use the NewAdmin account to log in to the database through your ASP applications, but you may want to create an additional web user that has the specific privileges that will be needed by your code in ASP applications. You would do this by creating a new user such as you did with the NewAdmin. Then give them permissions to the database and the specific permissions to the database just as we did when we removed the permissions from the admin user earlier.


Hope this helps

right, I'm following, but how do I log in? I get no dialog box when opening access that asks for a login or password.

Hi,
you got to follow the steps i gave in the above post????????????
Step 1: Create a new user database. If you don't follow step 1 you will not get a login dialog box.

Which version of access are you using?

I'm following the steps to the dot, I've done exactly what's written, I'm running Access 2000

so what can't you do?

ok, its appeared for some reason now. (Don't take it that I'm a complete idiot, but I dont know what happened there!)

ok no problem

ok, now ive got it all secure, what do i do with my asp code; as now, when I use my site i get the message:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0x7b8 Thread 0x340 DBC 0xb45b1fc Jet'.

/gwizetk/newhome.asp, line 203

This was my main problem before....

hi,

what do i do with my asp code


Do you mean how do you connect using password and username.
If oyur using DSN this this will do:

set DBConn = Server.CreateObject("ADODB.Connection")
DBConn.Open "databaseDSN", "username", "password"




when I use my site i get the message:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0x7b8 Thread 0x340 DBC 0xb45b1fc Jet'.

/gwizetk/newhome.asp, line 203

This was my main problem before....


I provided you with information on how to secure access in respose to your question about security for your access database for your web site not for an error. This is the first time i have seen your error and this is the first time you have mentioned this error.

If you are now asking me is this error a result of what you did to secure access then the answer is no. If you are asking me if i know what the error is, i don't know.

I'm using the code:

Set adoCon = Server.CreateObject("ADODB.Connection")
adoCon.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("db\gamers.mdb")

How would I mod that?

Thanks for all your help; I really appreciate it.