Proof-of-Concept Operating System Security

Preparing Databases in a Protected Folder

The first stage of the exercise is preparing a folder that will hold the database files that we want to protect. We have been working in a folder called \data\ previously in the book, so let us use that as the basis for our protected folder. Follow these steps:

1. Log on in as Administrator on your Windows 2000/XP computer.

2. On an NTFS-formatted drive, create a folder called \data\ . Instructions in section "The All-Important NTFS Format" will follow later in the chapter.

3. Create a subfolder called \data\Protect\ .

4. Add a copy of the Northwind database to that subfolder.

5. Split that database into a front end and a back end by using the Database Splitter wizard (see Chapter 4). Save the back-end database into the same \data\Protect\ folder.

The next step involves setting up a network share. This is a folder and all its associated sub folders that will be available to computers on your network

Setting up a Network Share

Setting up a network share, or "simple file sharing," as it is sometimes called, is a straightforward process. Before you start on your network share, you should ensure that you have already implemented a firewall. The built-in Internet connection firewall on Windows XP will do for starters, though you may need to research others like ZoneAlarm later. Otherwise, you will need to be very particular about the file permissions in your shared folders because you are potentially exposing your data to the real world. The steps to create a network share on a Windows 2000 Professional computer follow:

1. Right-click the \data\ folder and choose Sharing (or in Windows XP, Sharing and Security), as shown in Figure 12-1.

   
   Figure 12-1: Establishing a network share on the /data/ folder.

2. Enter the details for the network share (which I have called Databases ), as shown in Figure 12-2. Click OK.

   
   Figure 12-2: Entering the details for the network share.

3. You now have set up a network share that other people connected to your workgroup can use. You can see the share called Databases that I have created in Figure 12-3.

   
   Figure 12-3: The network share, now set up and available to be referenced in the Address bar.

Hiding Your Network Share

If you want your network share to be invisible on the network, you can enter a share name with a dollar sign at the end. If I wanted toset up our example as hidden, I would call it Databases$ . From then on, I would reference it as \\Databases$\ .

Setting up a User Account

Now you need to set up a user account on the peer-to-peer server that will be allowed to open and edit information in the database. To set one up, follow these steps:

1. Open the Windows Control Panel by clicking the Start button and choosing Settings.

2. Double-click Users and Passwords (in Windows XP, User Accounts).

3. In the Users and Passwords dialog, shown in Figure 12-4, click Add to add a new user.

   
   Figure 12-4: Adding new users in the Users and Passwords dialog.

   Note	In Windows XP, click Create a New Account to start a wizard that lets you specify the name and type of the new account.

4. Enter a user name and description. Throughout this chapter, I will use Editor2000 as the account that is allowed to edit the database. Click Next.

5. Enter a password and confirm it.

   Note	This option doesn't exist at this stage of the wizard in Windows XP, because you need to create the account first, then set its password.

6. Add the user as a restricted user (as shown in Figure 12-5). Windows XP documentation refers to this as a Limited User. This option adds the user to the Users group and does not allow the user to install software on this computer, which is what we want at this stage.

   
   Figure 12-5: Selecting the Restricted User option.

7. Click Finish.

The Users and Passwords dialog now reappears, and you will find that the account that you just set up (Editor2000) will be a member of the Users group (as shown in Figure 12-6).

Figure 12-6: The new account, which is now a member of the Users group.

Setting up a New Access Editors Group

Now we need to add the new account Editor2000 to a special group of users who will be allowed to edit information in the database. Because this group probably doesn't exist yet, we first need to create the User group that will hold a list of our database users' accounts. Before starting, make sure that you are still able to see the Users and Passwords dialog illustrated in Figure 12-6. Now you are ready to create the Users group, as follows :

1. Select the Advanced tab and click the Advanced button to open the Users and Groups dialog.

   Note	In Windows XP, choose Start ˜ Programs ˜ Administrative Tools ˜ Computer Management. Select Local Users and Groups under System Tools to see the Users and Groups dialog.

2. To set up a new group, right-click Groups (as shown in Figure 12-7) and choose New Group.

   
   Figure 12-7: The first stage in adding a new group of users.

3. Enter the details for the new group in the New Group dialog. I will use the group name Access Editors throughout the chapter.

4. Click Create to add the group.

5. Click Close to return to the Local Users and Groups dialog (shown before in Figure 12-7).

Adding the Users to the Group

At this stage, the Local Users and Groups dialog should now be visible. In the next stage, we need to add one or more users to the Access Editors group, as follows:

1. Select Groups (as shown in Figure 12-8) and then select Access Editors in the list of groups.

   
   Figure 12-8: Viewing all the groups on your computer.

2. Choose Action ˜ Properties. You can also open the Properties dialog by right-clicking Access Editors and choosing Properties.

3. Add all the users that are going to belong to the group by clicking Add on the Access Editors Properties dialog. Now, find the names of the users in Select Users dialog, and click Add to make that account join the Access Editors group, as shown with the Editor2000 account in Figure 12-9.

   
   Figure 12-9: Adding user accounts to the Group that will edit your databases.

   Note	In Windows XP, enter the name of the group (Editor2000) into the Select Users dialog, then click the Check Names button to ensure that you've typed the name of a valid user.

4. Click OK when you have completed adding all the users.

You will now return to the Local Users and Groups dialog, where you can explore the properties of the Editor2000 account, as shown in Figure 12-10. As you can see, this new account is now a member of both the Users and the Access Editors group. If you have followed the other chapters on Access workgroups, you will notice the similarity between the Users group in Access and the Users group in Windows 2000/XP. Just what we needed, more shared terminology!

Figure 12-10: The new User account is now a member of two groups.

Testing the New Windows Account

It is a good time now to test whether your new user account actually works and also to see what permissions it has for the network share. To do this, follow these instructions on your peer-to-peer server:

1. Close both the Users and Passwords dialogs and log off the Administrator account.

2. Log on to the new user account (Editor2000).

3. Because we haven't yet set up any special permissions on the folders, the Editor2000 account should be able to open the Northwind database in the \data\Protect\ folder by browsing to it in Windows Explorer.

4. Because we are going to use this \data\ folder as a network shared folder, you can use the official name of \\ComputerName\Databases\ to locate the folder, where ComputerName is the name of your computer and Databases is the name of the network share. Type this name into the Address bar of Windows Explorer, as shown in Figure 12-11.

   
   Figure 12-11: Typing the path to the Network share into the Address bar.

5. Test that you can open the Northwind database by double-clicking the file in Windows Explorer. You may need to start Access by itself because this may be the first time that you have used Access with this new account. If it is your first time and you use Windows Explorer to open the database, Access will start with a few error messages and will not work properly.

Setting Permissions on the Folder

Now we are finally at the stage where we are ready to establish the permissions for the database folder so that only our Access Editors group can use the folder. To complete this process, follow these steps:

1. Log on again through the Administrator account on your peer-to-peer server; we are now going to apply permissions to the folder.

2. Open Windows Explorer and find the Protect subfolder within the new Database network share by using the path \data\Protect\ . Right-click that Protect subfolder and choose Properties, as shown in Figure 12-12.

   
   Figure 12-12: Choosing properties to change permissions on a folder.

3. Select the Security tab.

   Note	The Security tab may not appear in Windows XP. To ensure that it does appear, choose Tools ˜ Folder Options in Windows Explorer, then select the View tab. Ensure that the Use Simple File Sharing (Recommended) check box in the Advanced Settings list is cleared.

4. Select the Everyone group at the top of the dialog. (See the following note for Windows XP instructions.)

5. Clear the Allow Inheritable Permissions from Parent to Propagate to This Object check box (shown in Figure 12-13). This action immediately opens another dialog, which asks if you want to see the permissions currently applied to the Everyone group to be inherited by this folder. Because we want only fully authenticated users to use this folder, click Remove.

   
   Figure 12-13: Removing permission from the Everyone group.

   Note

   Permissions aren't granted to the Everyone group by default in Windows XP; however, we do want to remove permissions for the Users group. To do this, select Users in the Group or User names drop-down list, and then click Advanced. Clear the Inherit from Parent... check box on the Permissions tab, then click Remove in the Security dialog as in Windows 2000. Finally, click OK to close the Advanced Security Settings dialog. You will be shown a warning that says that no one will now be able to access the folder. We're going to rectify this straightaway, so accept the changes.

6. Now we need to add two groups to the permissions for this folder: the Administrators group for this computer and the Access Editors group that we established earlier. In Figure 12-14, I have already added these groups to the Permissions list by first selecting each group and then clicking Add.

   
   Figure 12-14: Adding the two groups to the permissions for this folder.

   Note	In Windows XP, simply type the names of the groups you want to grant permissions to (Administrators and Access Editors) in the field, separated by a semicolon. You can then click Check Names to ensure that you entered valid user or group names.

7. After you have added the second group, click OK to return to Folder Permissions dialog.

8. Now we need to establish the correct permissions for the Access Editors group so that members of that group can read, edit, and delete any data or file in the Protect subfolder. On the Security tab on the Protect folder Properties dialog, which you can open by right-clicking the folder, select all the permissions except Full (as shown in Figure 12-15).

   
   Figure 12-15: The file and folder permissions.

9. We also need to establish the correct permissions for the Administrators group (of this peer-to-peer server) so that that they can read, edit, and delete any data or file in the Protect subfolder. Select Administrators in the name list and select the Full Control check box. That's all the permissions we need to establish at this stage.

   Note	You must log off for the folder permissions to take effect.

Testing the Permissions

Let's test that all the permissions for the \\ComputerName\Databases\Protect\ folder have been set up correctly. To do this, you need to try out the permissions for user accounts that belong to different groups.

• Try out a member of the Access Editors group (Editor2000). This account should be able to use the front-end database ( Northwind.mdb ) as normal.

• The administrator of the peer-to-peer computer should be able to undertake all tasks in the folder as normal.

• If your peer-to-peer server is part of a local area network, try the \\ComputerName\Databases\Protect\ folder, and you should encounter the error shown in Figure 12-16.

  
  Figure 12-16: The error that appears when a user account cannot open a folder.

• If you only have one computer, log on as the administrator of the peer-to-peer computer and create a new restricted/limited Windows account. Do not add this account to any groups. Now test whether that new account can open the Protect folder. It should also encounter the same error as shown in Figure 12-16.

If you cannot open the folder when trying out the third or fourth test, that's perfect because you now have a folder that only members of the Access Editors group and Administrators of the peer-to-peer server can use.

Assigning Your Network Account to the Database Editors Group

As I was alluding to in the previous sections, you can establish what amounts to quite powerful operating system protection for your database by using a Windows peer-to-peer network. If this happens to be the situation under which your database operates, you can easily make any other computers on your network a client to your peer-to-peer server. If that is the case, you will probably be keen to join that client computer to the Access Editors group on the peer-to-peer server that we set up in the last section. In the following instructions, I will show you how to do this:

1. Make sure that your account is set up on the client computer and that it has a password. It is prerequisite of Windows peer-to-peer networking that the peer-to-peer server knows both its password and the account password for the client computer.

2. On the server computer, log on as the Administrator and choose Control Panel ˜ Users and Passwords.

3. On the Users tab, click Add.

4. Enter the user name information for the user on the Add New User dialog (as shown in Figure 12-17). In this case, the name of the user must be the same as that on the client computer. Click Next (I called it Contractor 1).

   
   Figure 12-17: Setting up an equivalent user account on the peer-to-peer server.

5. Enter and confirm the password by using exactly the same password as on the client machine (as shown in Figure 12-18).

   
   Figure 12-18: Entering and confirming the password on the peer-to-peer server.

   Note	In this environment, regularly changing account passwords is not encouraged because the network administration can become onerous. This condition especially applies when you are getting close to the peer-to-peer network limit of 10 computers.

6. When selecting your account type, you can either add the account as a restricted user and then join it to the Access Editors group later or just add it directly to the Access Editors group as I have done in Figure 12-19.

   
   Figure 12-19: Joining this new user to the Access Editors group.

   Note

   The Other option isn't available for Windows XP if you create the account with the User Accounts wizard from the Control Panel. Instead, you need to create a limited user account and then add it to the group later by using the Computer Management snap-in. Alternatively, you can simply create the account through Computer Management instead of the wizard.

7. Now click Finish, close any open security dialogs, and log off both the server and the client computers.

8. On the client computer, log on by using the account that you just set up.

9. Go to the \\ComputerName\Database\ network share and try to open the \Protect\ subfolder, and you should find that you have access to that folder. You now have rights to that folder as a member of the Access Editors account. In fact, you have rights to that entire computer, according to the permissions of the Group accounts that you are a member of on the server computer.

That completes the material that shows you how to set up the appropriate permissions for users who are authorized to open your database. You can now do the following:

• Add a new user to the Access Editors users group, which will allow that account to open the database.

• Remove any user account from the Access Editors users group so that user will not be able to open the database.

• Remove the account from the server, and you will automatically remove that account from any groups that it is a member of.

Now I will show you how you can build on these folder permissions considerably by protecting your database folder from your Access Editors group.