Overview of Applicable Operating System Security



Access is a software development and database system that is pretty well operating-system independent. I know that because I develop and test Access 97 to Access 2003 on machines that run Windows 95 to Windows XP for clients who run all flavors of networks and desktops. Because of this operating system independence, it is easy to neglect the operating system as a strategy in the protection of your databases. Conversely, if you are involved with SQL Server or the like, you would be far more aware of the operating system on the server and, in particular, the use of user accounts to validate your database users' credentials. Regardless of your knowledge, this chapter will provide you with demonstrations that will show you how and why you might protect the folders where the database files are, thereby protecting your database.

So, how do we establish this security? If you have Windows XP Pro or Windows 2000 Professional, you have an operating system that will allow you to create different Windows accounts and apply permissions to different groups just like the administrator of large company networks.

So that the majority of readers can test this information, I've made the demonstration for a single computer. When that test is complete, I will show you how to apply the same permission techniques to a peer-to-peer network. With that information under your belt, you can chat to your systems administrator about what needs to be set up on the server to protect the database file collection.

Note  

You may notice some interesting similarities between operating system security and workgroup security as you read this chapter. In particular, watch for the preferred practice of allocating permissions to groups rather than users.

Do not be alarmed at the number of pages devoted to using this technology. Once you get the hang of it, you will be able to do the whole setup in less than a morning, especially if you work through the samples with your system administrator.

Caution  

Operating system security on its own is not the complete answer; rather it is only one of the many layers of defense that you need to place in the way of your would-be database scoundrel . If you set up operating systems security, you also need to put in place many of the other security systems discussed in this book to support it. Return to the Chapter 1 driving instructions to see what protection to apply for different situations.

What You Need to Know to Talk to Your System Administrator

Because this book is targeted to an audience of Access specialists rather than to system administrators, the material in this chapter caters to an audience that has a wide variety of experience with Windows 2000, Windows XP Professional, or Windows Server 2003 data security. I provide an overview of three different permissions groups into which you will need to divide your database users. As far as this description is concerned , we are going to be protecting a folder whose primary purpose is holding the database. This folder will hold a front-end database and a back-end database, the .LDB files created when users open the databases, and the workgroup file when the database is shared between users. Though there are many ways to slice and dice your operating system permission groups, I believe that the best protection strategy that operating system security offers is to use the following three users permission groups. It's important to remember that if a person is not a member of these groups, that person won't be able to open any files in the database folder.

The Access Editors Group

Access editors are all those users who are going to make changes to data, changes to objects in the database, or even just need read-only permission for the database. The folder permission scheme should allow members of this group to create, read, and write to a file in that folder, as these are the permissions necessary to run a database. When I discuss the Access protected folder strategy, I will revoke some permissions granted to this group so that you can make it extremely hard for this group to copy your databases.

The Access DBA Group

The persons who are going to administer the group are going to need permission to see all the files in the directory and have all the permissions that are allocated to the Access Editors Group. You need to use this group only if you adopt the Access protected folder strategy.

The Administrator

This person makes the permission changes for the server and for the local computers when they are secured. If you can help it, try not to use the administrator account for any task other than for administration of the computer. There is nothing new about this account ”it is on every Windows 2000 or Windows XP computer.

Configuring These Folder Permissions

When you are dealing with operating system security for Windows 2000, Windows XP, and Windows 2003 Server, you are dealing with two styles of networks, as follows .

Peer-to-Peer Network

In a peer-to-peer network, a group of networked computers share resources, such as files, printers, and scanners . All computers in the workgroup can share resources as equals, without a dedicated server. Each computer in the network maintains a local security database, which contains a list of user accounts and resource security information that is specific to that computer. Included in that security database is security information to allow other computers to use the current computers' resources.

Windows Server Domain

The Windows Server domain is a collection of computers as defined by the administrator of a Windows Server network that share a common directory database (active directory). A domain has a unique name and provides access to the centralized user accounts and group accounts that the domain administrator maintains. Each domain has its own security policies and security relationships with other domains and represents a single security boundary of a Windows 2000 computer network.

An important part of the domain to Access security is the domain roaming profile. When a person logs on to a domain, Windows copies the document and setting files (or personal profile, as it can be known) to a local computer. If this is the process by which your server manages person profiles, you need to be aware of the permissions on the local machine if people are storing important information in their own personal folders. You should discuss how this works with your system administrator.

Caution  

Peer-to-peer folder permission will not work on a hard drive that has been partitioned as a FAT volume. If your file server is old, you may benefit from the information on NTFS volumes later in the chapter.

Applying the Permissions

When securing information with the operating system, there are three levels at which you can apply these permissions:

  • The Share level, which is a top-level directory that is established so that members of a workgroup can share a drive or a folder and its subfolders . You will always need to set up a network share before you apply any of the more powerful permission structures.

  • The Folder level, which allows you to share folders and the files in them. It is possible to nest different permissions structures within subfolders of a parent folder.

  • The File level, which allows you to apply permissions to individual files. This form of protection is generally not encouraged because it can be difficult to maintain the permissions. You can read more on this topic in the section "Why You Can't Set Permissions on Individual Files."

Now that you have had a brief overview of where you can apply operating system security, let's have a look at a real-world example of how to set up operating system security. Once armed with this knowledge, you will be able to convey to your systems administrator the practical requirements for protecting an Access database.




Real World Microsoft Access Database Protection and Security
Real World Microsoft Access Database Protection and Security
ISBN: 1590591267
EAN: 2147483647
Year: 2003
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net