First Published 24 Oct 2023                 Last updated 6 Nov 2023

Back in March 2022, I wrote an article, Adding Security to Access Databases - A Wish List

The article listed 11 security weaknesses that in my opinion should be addressed to make Access files more secure.

Before publishing the article, I had submitted a request to the Access team for each of these items to be fixed in a future Access update, at least for ACCDE files.
Sadly, over 18 months later, there is still no indication of any of these feature requests being implemented.

This article discusses the first of those security weaknesses in more detail and explains why it is important.



The Problem

When an Access developer is building a split database, it is very useful to view the connection details for linked backend Access/SQL Server tables.

However, once a front-end application is distributed as an ACCDE file, there is absolutely no reason for end users to be able to view those connection details.
Indeed, allowing this to happen makes the backend database much less secure

However, it is far too easy for end users to do so. When ACCDE files are distributed, the navigaton pane should normally be hidden to end users.
Where users can view the details of linked tables in the navigation pane, connection string details can be viewed by hovering over any linked table. For example:

Linked Access table:

Connection String Access table
Linked SQL Server table:

Connection String SQL Server table
Whilst the connection string is visible, the password is not shown. So far, so good!

Next we can right click on any linked table and select Linked Table Manager

Linked Table Manager
Select one of the linked table data sources and select edit to view the connection details

Linked Access table:

Linked Access - PWD masked

Here the password is masked.

Linked SQL Server table:

Linked SQL - PWD hidden
In this case, the password is not shown

Again, so far, all is fine!

However, the hidden MSysObjects system table can easily be made visible by end users.
Doing this immediately exposes the entire connection string for all backend tables in the Connect field.
If the connection string contains a password this will be shown without a mask.

MSysObjects - PWD exposed
This means the password is shown for all linked Access tables in password protected databases.
For ODBC databases such as SQL Server and Azure SQL, different types of connection are available.
Trusted connections do not have a password in the connection string.

For users running Access runtime, additional security is enforced and the above methods do not work.

Many developers simulate runtime mode by saving files as ACCDE and renaming as ACCDR.
However, anyone with moderate Access knowledge knows that change can be reversed

It also also possible to view the MSysObjects table in an ACCDR file from an external database.
Although doing this isn't difficult, I am deliberately NOT going to assist anyone trying to hack a database by explaining how it can be done.



Proposed Solutions

1.   One solution to this security weakness is very simple: Mask passwords in the MSysObjects table of ACCDE/ACCDR files

      However, doing this may be considered impractical for backwards compatibility, in case it breaks functionality in some existing databases.

2.   An alternative would be to create a new more secure version of the ACCDE file type e.g. ACCDS where passwords are masked.
      If this was done, other security improvements could also be included. More details in a future post!

If you would like to see this issue addressed, please vote for my suggestions in the Microsoft Feedback portal



Feedback

Please use the contact form below to let me know whether you found this article interesting/useful or if you have any questions/comments.

Please also consider making a donation towards the costs of maintaining this website. Thank you



Colin Riddington           Mendip Data Systems                 Last updated 6 Nov 2023



Return to Access Blog Page




Return to Top