How secure are values in code?

[KornGeek]

I have some VB code that contains values that I don't want users to be able to see. I know I can password protect the code and convert it into an mde. What I'm concerned about is if someone could hack into either the mde file itself or somehow view the memory where it is running to extract these values. I've used some DOS utilities to search the saved file, and I haven't found any of the values there, but I'm under a lot of pressure to protect this data.

I realize that Access isn't necessarily the best choice for secure data, but sometimes we have to play the hand we're dealt.

Does anybody have any experience with this? Are there any utilities you can recommend for viewing the memory or searching the file? I would like to know what opposition I'm likely to face.

Thanks. Sleep is for people with no caffeine.

 

[Schof]

From what I have read password protecting your project is pretty much useless. Creating an MDE is the way to go because your code is compiled and inaccessible from then on. With that said, I have not read of any decompilers that will bring the source code back but maybe that is what you should be searching for in these and other newsgroups (e.g. microsoft.public.access.security).

 

[KornGeek]

Schof,
Thanks for your input. I agree that password protecting the database is useless. I stumbled across a utility available for free that will give you the password to any Access 97 or 2000 database. I was talking about the password for the code, which I believe is necessary to create the mde anyway.

I'll check the newsgroup you listed. That seems like a good place to start. The most difficult thing about doing security is that you need to start by thinking like a hacker. Sleep is for people with no caffeine.

 

[Schof]

You'll find this link in the newsgroup but here it is to save you some time. It is an article published regardng the Microsoft Access Security FAQ. It is good reading if you want to make it so only authorized people are able to login to your application.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;207793

FYI: You don't need a password to protect the code when you create an MDE.

 

[KornGeek]

The problem I'm having isn't with limiting user access to my database. The problem I'm concerned with is hackers extracting data from my code. I have values (similar in concept to a password) that I hardcoded into my program code. I want to make sure there is no way (without an unreasonable amount of effort) that a hacker could extract these values. Sleep is for people with no caffeine.

 

[Stevenje]

I thought you could still get to the code and database tables if you hold shift as you open the mde file. I have been able to do this and see the raw data, and code. I couldn't how ever do anything in the code as far as editing, adding, etc. If I'm not learning, I must be coasting. If I am coasting, I must be going down hill.

 

[KornGeek]

Stevenje,
That works in a regular mdb (unless shift has been disabled). However, the power of the mde is that the code is compiled, and then only the compiled code (not the source code) is included in the mde. Also, forms and reports are similarly locked so that they cannot be edited. The downside is that end users cannot create their own reports within the mde. Sleep is for people with no caffeine.

 

[Stevenje]

So with an MDE file, can the user, if they use Shift, can they see the tables. I have a situation where I was trying to prevent access to the back end. Which are linked tables in Oracle using microsoft ODB. How can I make it so the users cant see these tables? Should I create an Access back end that is linked to the tables then make that table an mde? will this make it so the user cant get to the tables?

Sorry KornGeek, didn't mean to take over your thread, but this is all along the same lines of securing data and code.

If I'm not learning, I must be coasting. If I am coasting, I must be going down hill.

 

[KornGeek]

No problem on taking it over. The lack of responses seems to indicate that nobody knows (or is willing to divulge) a way to extract this data. That will be good enough for me for now.

You might want to start a new thread just to improve your chances of getting relevant answers.

My best answers to your questions are as follows:
If the user holds shift, they will be able to view the tables in an MDE. You can prevent this by disabling the shift key and implementing user-level security (see the FAQs for how to do these). Implementing these protections (after backing up your database, of course) and hiding the database window will prevent users from accessing the tables directly through Access. I'm not sure how you'd prevent them from going around Access to view the data though.

Hope that gives you a start. Good luck. Sleep is for people with no caffeine.