Protection given in Access
The Small retreat. What is a SURBD? This is decipherred as MANAGERIAL SYSTEM Relational DATABASE. But what is a - relational? For simplicity possible to say that this bases, founded on table. But that, be others? Yes, be. The Knowledgebase, hierarchical bases, object-oriented database. There is file bases, built on subscripted-ksams to given (Indexed Sequential Access Method ISAM). In such system each table is kept in separate file, but name ISAM derives from physical way of keeping and access to data. The Example database ISAM can serve dBase, FoxPro, Paradox, Excel. One theorists refer ISAM to relational database, other consider that full-fledged SURDB must not only keep and extract information, but also provide her(its) wholeness. Access, in this sense, is found sometime in the middle. She can execute some checking functions, but before SQL server her far. There is and others, but this already separate talk. And so, shall continue. More-more advanced developer is done its base on two, but sometimes and more parts. Division by interface and tabular part it is necessary to conduct, when program ready to transmission in usage, but sometimes and earlier (if You do not write the program only for itself). This relieves the accompaniment of the program, residing beside client. This practically obligatory requirement at building file-server multiuser systems. The question here already rose About protection клиентской part. I want to look into a matter of protection data, residing in table. We Shall consider the file-server variant of the accomodation of the base.
Previously, than shall begin the talk about protection, You should clear visualize, from what you want to protect their own data. Protection be the miscellaneous a level and difficulties. And can be a performing the requirement greatly to protect all given превысит most bases on labour content development and debug. And remember that one person have done, other завсегда break can. And no protection will not rescue from common разгильдяйства. I met the events, when логин and password of the access wrote on бумажке, but then this бумажку glued on monitor, to not to lose . And this not anecdote. This is because ordinary employee of the company/division most often no no deal before protection of information. His(its) task perfect the prescribed watch moreover with the most comfort for itself. Thence and leaves: distribute the passwords of the access EACH employee, but they their write on бумажке (the general list) and place under glass. Such is ugliness usually ends that that who that what that not there entered/deleted. Begin stripping and here before operator reaches that if he did not divulge its password, that, became to be, nobody not was able get into the base and rummage from his(its) name there. Thence output protection of the base, deal of the LEADER, rather then operator. We shall Consider now ways of protection. There is several levels and ways of protection.
Administrative method
Allows to protect from unauthorized copying most part of the base with table. From computer are withdrawn writing CD/DVD drives, FDD, Zip and JAZZ, магнитооптика, USB are closed by software system manager. All operations record on carriers can execute only determined person. If there is output in and-no, that соответствующе tunes in proxy-server. The full versions Access delete Beside users and are fixed Run-time versions, are selected right of the manager. Such situation presently possible to see on many company with settled by structure and налаженной by functioning, and where personal computers really personal, rather then what jested earlier - personal computer of the collective use.
Sometimes, regrettably, administrative protection changes in slapstick: опломбировали (have stuck) бумажками USB, on KPP guard give instruction to check enterring/leaving on presence of the diskettes (think only, what archaism thieve the diskette), disk But many peacefully go with мобильниками, in which built-in Flash card. Such level protection shows that she concerns with the person more distant from programme deals. Usually, such picture exists on госпредприятиях. In general, in division, have charge of protection, did not disturb hang such poster:
If information recorded signifies, her(its) possible read if her(its) possible read possible and copy if possible copy possible and steal.
Disguise of the base
As I wrote earlier, talk goes about prepared database. A Part with table is usually kept on server. And all users must have an access to her. Usually directory share s on server (the name can be any) through which users are changed file, where kept documents of the general use etc. Nobody does not forbid to create the suitable directory and having disguised him(it) under official, having assigned some высокоумное name. Place in it database (usually, already well studied carefully and long used system becomes overgrown the heap additional directory, files, pattern etc.) and assign her extension different from MDB. At connection (линковании) of the tables You indicate the exact way and name database. And Access don't care, what the file is identified, the main to coincided the structure. At its time, in Donecke, I happened to to face the system Accent (the accounting program). She was written on VC, but here is as vault given in she was used MDB-files, with extension acc. I met the offers in general to change the headline of the file, but before линковкой to substitute correct. But I did not advise such does. The Operations direct record some program-guardian (the антивирусные monitors) define as viral attacks and block.
Besides, in multiuser ambience, it is enough be connected to the base with table one of the client, as changed headline will is restored. To under simple viewing клиентской part it is impossible was define the way to the base with table, way is encoded and restored only at moment most линкования. To it is impossible was copy the линки with клиентского of the module, is recommended at the end of the functioning to disconnect all прилинкованные tables, but at the beginning initially connect. But this well for неработающего module. Cost(stand)s only to start клиентскую part, as линки on tables with data will are restored. But further possible already be connected from clean base to working клиентскому to application and copy itself линки on tables. That this did not occur, possible use the auxiliary programs-starter. For instance,- ReleaseUpdate (http://am.rusimport.ru/MsAccess/topic.aspx?ID=533). She checks presence of a partial клиентской renovations if they there is, that updates клиентскую part, and starts her(it) on execution. Klientskuyu part possible to dispose in Program Files somewhere, in special directory, but way to her, residing in internal table of the program ReleaseUpdate, possible зашифровать. There is and other ready similar programs.
On one of the enterprise I shown the necessary system. The catalogue lay On server with the general access and name of the type SystemControlFS. The Users could not there nothing delete. In him was a heap of the files and directory and file SystemControlFS.exe. In an effort his(its) start protruded the message that you have no администраторских of the rights. The Database was disguised under one of the auxiliary files.
WARNING. Never assign the base of the extension, reserved for temporary files. Otherwise program peelings winchester can his(its) delete. Do Not assign the extensions of the multimedia files. Otherwise users from curiosity all time will try his(its) start to глянуть that there админ hides on server?
Disguise of the tables and flap
We shall Expect that malicious penetrator to manage to avoid your protection and get before tables. As be in this case? Here too possible подпортить hacker little shelters. As You name the tables? The Russian versions Access understands the russian names and at first tables have such name; The Address to organizations, Arrival of Goods, Transport additional etc. Much soon developer comes to understanding that gaps in name powerfully complicate the life, and appear the names ADRESORGANIZACII, POSTUPLENIETOVARA, TOVARNOTRANSPORTNYENAKLADNYE Else tables appear in a certain time with names: Sotrudniki, Tovar, Otdel And finally appear the names tblAdressOrg (or tbAdressOrg), tblOtdel, tblZarplata Same occurs and with names request, the forms, макросов, reports, but in the same way with names by flap in table and checking on the form. For greater читабельности bases, are filled parameters Description tables, request, the forms, reports, макросов, flap.
But now visualize such picture. You open the base, but there Table01, Table02, Table03 . Form01, Form02 . Report01, Report02 The Fields in table have a name Field01, Field02 In general You have understood me. But for this beside You on компе or on листочке all must be entered by the most detailed image. The Name of the table, her(its) purpose, name of the field nature to information. This will require the additional expenseses of the uptime and greater организованности in work. Not all on this are easy agreed.
But as relationship between table? The Open scheme given possible easy to trace the relationship between table and then In book and much considerations allegorized on forum about usefulness and need of the installing the relationships between table. And conservation to wholeness data, and cascade removing the record, and increase to velocities of the execution request and etc etc. I shall not object about usefulness of the relationships, but without them possible to dispense. Let I scold and prod in me finger, but I shall say that to create rather complex exhibits on Access possible and without making the scheme data. I this dialect from the first experience. But herewith all actions on conservation of wholeness of the base, removing data, разруливанию critical situation You undertake. This is an additional code, this more careful programming, additional checking under some operation (for instance removing). The more careful order when work with table. All this additional expenseses, but all this not so in a complicated way, what seems at first thought. But scheme given possible to do and on paper. (I so and did).
But now, critical remarks. About inconvenience of the request and work sheduling with рекордсетами, I already wrote. And about additional difficulties in programming at schemes given too. But here is about that text all request possible peacefully to view even in MDE file about this did not mention. Even that forms it is impossible rule, is not an obstacle, for determination of the request, on which is founded form. Even though you have manually typed the text in field Source given does not rescue him(it) from viewing through panel (the form) Characteristic . The Patient user having sat with paper and handle, can restore the scheme data.
Cryptooperation of contents by flap in table
Here necessary to elaborate. Possible encode whole database, but possible encode contents by separate flap in table. We shall Consider for begin second possibility.
This way of protection not плох. Anyway, appears the real hope, something rescue. However there is row of the restrictions. Encode follows only symbol fields or field of the type MEMO. Little having thought, You themselves will understand, why so. Well, at least, at cryptooperation by numeric flap, You may get as a result non-numeric importance. However, and this easy dispenses. I met the variants, when counter record was used for cryptooperation numeric data. For instance, formed with necessary number. Or the last numeral red from counter and was added to count;calculate;list. But encode numeric given possible only in person events, when their importance can be uniquely clinging to determined object or action. In rest events it is enough to encode symbol information. Yes and that selective. For instance, names client, their address, contact telephones, requisitions bank count, surnames and job titles customer's inspector (the client). In general, depending on requirements, be encoded must that uniquely allows to identify record.
Than and as possible encode? All, than is pleased and as please. Here all depend on Your skills and experience. Possible write the own function. Possible use the special libraries. The Example possible to look at put Sergeya Podosenova (aka SRG), here is here http://mdbprogs.narod.ru/arCL.htm. Possible combine pleasing with useful, not to encode, but compress contents of the field, using libraries of the archiving data. For instance, zlib.dll (zlibwapi.dll). The Address of the site http://www.zlib.net/. But if You are eager, that and themselves can develop the subroutine of the compression. But does not cost(stand) without necessity to complicate the algorithm of the cryptooperation, before image after all and data processing their necessary to decover. А on this necessary time. And than more flap beside You scrambled, than навороченнее algorithm cryptooperations, that more time for this leaves.
Well, but now, as always, go to defect of this method. About that that on this leaves time, I mentionned. It is impossible stright carry in tables and the forms data, subjecting to cryptooperation. It Happens to to do for entering and editing the record, containing encoded or compressed data, special forms. But in some cases this even to the best. Possible allow the access to such forms only determined user, with corresponding to privilege. If You use the самописные to functions (the functions of the own development), that algorithm of the cryptooperation and key contains in program, but signifies, there is and potential criticality. In this case it is recommended these subroutines to stand in separate module. If beside user клиентская part will be in format MDE, that he will not be able to define, what file is connected on References. Certainly, under debugger possible to define, what library (the function, class) is absent. For this potential burglar must have under hand and клиентскую part of the base and part with table. And this already qualification not ordinary user. If You use the libraries DLL, that here can appear the questions with their installation and registration. But in and-нете possible find the examples, as possible install and register DLL from most bases Access. Besides, installation DLL and OCX possible to entrust on program-инсталятор клиентского of application (if she You have). In the end-end in and-нете much free programs for making инсталляционных package - for instance, InnoSetup. Having Spent certain time, you may create its инсталляционный package, intended for installing the necessary libraries.
Protection at a rate of domain politician
On forum on Access, on put SQL.RU I have met such mark: Whole its labor history of the work with Aksesom, was firmly certain that to protect FS (the file-server) Aksesa (mdb\mde) in network (yes and not only Aksesa, but in general FS) from unauthorized access plainly impossible. While one very strong админ beside my client has not demonstrated me such piece. The File server, Akses, domain, HELL, ball (the full access since this is required for FS), applications on клиентских PC (more than 20) work with file as usually, staff прилинкованные tables. But... Neither in network, nor in consoles, even knowing way to ball and filename, I not smog to copy (twitch) f-l BD with server, nor open no вменяемой by program - a spectre. Banged into, banged into... Up-with. What he there намудрил with politician - do not know, did not hype. But fact, I not smog to gain access to most file BD. Herewith админ worked the staff facility an виндового server. Hereon event I was conceived. About lifes, about админах and about technology FS, one of the sharp claim to which beside me was "незащищаемость" vault BD in network. If me this has told BEFORE this event if I itself did not try unsuccessfully "ломануть" its CAD, has not believed. The Details were not reveal;open, but allegorized the suggestion, As version: for instance, in Windows зашQл user user1, beside which no rights on access to network directory with the base, but application was started with rights of the other user user2 (through runas or is specified in characteristic of the label), beside which there is such right. . I not to show the specialist on администрированию Windows, but from the first experience shall tell following. When appeared need to me to work with Developer SQL Server, that our админ has installed him(it) beside me on компе moreover so that I could liberally work with the base, which were found local then and there on computer, knew the section, where they lay, but could not in it to call at.
Dmitriy Sleepy (aka Joss)