Databases
StackOverflow2013
Postsdbo
POMicrosoft Access 2010 and ODBC Connection string security
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POMicrosoft Access 2010 and ODBC Connection string security
    text
    copied!<p>I am using Microsoft Access 2010 with unbound forms. No linked tables allowed, otherwise the connections string is stored in the table definitions. So it follows that we will use a query definition with no name to access SQL SERVER. This is recommended by Microsoft. We need to get the connection string from somewhere though. So it is recommended to return it from a method with a obfuscated name. It is recommended not to embed the connection string in plain text in the application source. So we use encryption.</p> <p>A good way of doing this is to require the applications administrator to define the connection string at the first run of the application and according to <a href="http://msdn.microsoft.com/en-us/magazine/cc164054.aspx" rel="nofollow">this msdn article</a> </p> <blockquote> <p>...encrypt its value via DPAPI with a user-specific key of <strong>the account under which the application runs</strong>, and save the encrypted value in the Windows registry.</p> </blockquote> <p>The accde launches from the logged on windows user account, after which the apps admin can login and setup the connection to the database, following the recommendations above.</p> <p>The weakest link i now seem to have is the windows user account. It seems that anyone logged in to that account could decrypt the connectionstring if they knew the implementation of the security scheme. Which means that the system still is not secure enough.</p> <p>I could create a new windows user, but that would mean that the password for that user must be kept safe, which means we are back at square 1, securing the password that is used to access some secret information.</p> <p>There must be an easier way, any ideas?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload