Thursday, October 25, 2007

Free Web Seminar On SQL Server Security

On October 30, 2007 Windows IT Pro Magazine is presenting a free web Seminar on SQL Server Security: How to Secure, Monitor and Audit Your Databases. Register

Most companies remain focused on the security of the perimeter and ignore the database. This seminar will discuss the basics of database security and best practice for securing, monitoring and auditing SQL Server.

Other topics to be covered:
  • The three layers of security in most systems today
  • Why secure the database layer?
  • Challenges securing the database layer
  • Best practices for securing, monitoring & auditing SQL Server databases
  • Tools to help secure SQL Server
Latest SQL Server 2005 Hotfixes

FIX: Error message when you run a query that references a column of the XML data type in SQL Server 2005: "The XML data type is damaged".

FIX: Error message when you try to delete some stored procedures concurrently in SQL Server 2005: "Temp table deferred drop doesn't scale for certain workloads".

Wednesday, October 24, 2007

Latest SQL Server 2005 Resources
  • Microsoft SQL Server 2005 Service Pack 2 SQL Server 2005 SP2 includes significant enhancements to maintenance plans, including an enhancement that lets users specify the cleanup interval in hours. SQL Server 2005 service packs are cumulative, and this service pack upgrades all service levels of SQL Server 2005 to SP2.

  • How To: Determine the version of SQL Server 2005 Integration Services

  • How To: Use Excel Services as a data source in Microsoft Office PerformancePoint Server 2007 Monitoring and Analytics

Latest Office 2007 Resources

Wednesday, October 17, 2007

Automatically Schedule Access Reports For Printing

If you say need to print an Access report by 10:00 every Friday morning, you don’t have to do it manually. Follow this great tip from Tech Republic's Mary Ann Richardson.
Add Addtional Files to Access 2007 Deployment Packages

This How To shows you how to add an add-in to an Access 2007 deployment package using the Package Solution Wizard, containing your application, the Microsoft Office Access 2007 Runtime, and additional files.

Additional links:
Office Business Applications Developer Portal

This Microsoft Office 2007 Portal provides a comprehensive set of servers, clients, and tools to make it easier for enterprises, software vendors, and developers to build and deploy a new class of business applications called Office Business Applications (OBAs).
Latest SQL Server 2005 Fixes

. FIX: An access violation may occur intermittently when you run an Integration Services package that contains a Data Flow task in SQL Server 2005

. FIX: On a computer that is running SQL Server 2005 and that has multiple processors, you may receive incorrect results when you run a query that contains an inner join

Monday, October 08, 2007

NEW: Access 2003 to Access 2007 Interactive Command Reference Guide

Download a visual interactive reference guide to help you find Access 2003 commands in the new Access 2007 Ribbonbars.

You can also download the Access Ribbon mapping workbook, an Excel file that lists the commands on each tab of the Access 2007 Ribbon and the menu/toolbar location in previous versions of Access. Instructions on the first tab of the workbook provide tips for customizing, finding, and printing data.

Sunday, October 07, 2007

Protect Your Access MDE's



I was reminded today of the security leaks that exist in MDEs. While the VBA code is stripped, declarations and procedure stubs are retained in the MDE file, and object designs can be hacked.

There are some on the Web, who should know better, selling so-called MDE unlockers and protectors. Ethically, there are two issues here:
  1. These apps are marketed as protection aids, but they can also be used by the unscrupulous to do the opposite: get past MDE protection of someone else's database.

  2. How these apps do what they do is not a secret and can be done by anyone with retail Access. If you want to improve the protection of your MDEs or you genuinely need to get into one of your MDE's, before spending any money on these products, read on.
On 1 May 2004, I posted on the MDE security issues and protection. The post has been updated and is set out below. Please note that the following does not apply to Access 2007 and ACCDE's, but can be applied to Access 2003 MDB's secured in Access 2003 and then compiled as an MDE in Access 2007. For reasons unknown Microsoft removed Access security from Access 2007.

Did you know that:

1. You can access the Start-Up properties (such as disabling the Shift key bypass) of an MDE through another MDB and change each property.

2. You can open an unsecured MDE with the Shift key, press Ctrl+G to open the Debug window, press F2 to open the Object Browser, and then search all the code modules for procedure stubs, declarations, and constants.

3. You can import all the form and report objects but not the code from an unsecured MDE into an MDB.

Securing An Access Database

To effectively secure an Access MDB you MUST demote the Admin user from the Admins group. Otherwise your database will not be secure, as Admin cannot be removed from the Users group, and anyone using the retail system.mdw file logs on automatically as Admin.

1. Use the Access Workgroup Administrator (AWA), wrkgadm.exe, to create a new workgroup (.mdw) file.

2. Join the new workgroup using the AWA.

3. Make a backup copy of your MDB.

4. Open Access and the database to be secured.

5. Using Tools, Security, User and Group Accounts..., in the User and Group Accounts dialog:

5.1 Create a password for Admin user.

5.2 Create a new user account. This account will be the new database owner account. For example, call the owner account DBOwner. Add "DBOwner" to all groups, including the critical Admins group.

5. Close and re-open Access, logging on as "DbOwner", and leaving the password blank, as you have not assigned one yet.

7. In the User and Group Accounts dialog, demote the Admin user account by removing it from the Admins group. Now Admin is only a member of the Users group and will have only those permissions assigned to that group by "DBOwner".

8. Create a password for "DBOwner".

9. Close and re-open Access, logging on as "DBOwner" using the password you created in step 8.

10. You can now start to secure the objects in you database.

11. In Access 2000 and later, you also need to additonally secure your code by using Password Protection in the VBA Editor.

Special Notes:

  • You don't have to distribute your MDW file with your MDE to protect it using this method

  • A User account inherits the permissions of the Group to which it belongs.
Testing:

I have tested an MDE protected with Access security and
Password Protection in the VBA Editor with the demos of these two products: Access MDE Unlocker and Access MDE Source Protector, and both products failed to unlock the MDE.

You should test your own MDEs before distribution.

Caveat:

There is no bullet-proof protection against an expert hacker.

Saturday, October 06, 2007

Office 2003 Document: Office 2003 Service Pack 3 White Paper

This white paper discusses the benefits of deploying Microsoft Office 2003 Service Pack 3 (SP3) before upgrading to the 2007 Microsoft Office system, and details improvements to security and user experience.

Wednesday, October 03, 2007

Access 2007 Pain: RibbonBar

I was never a fan of the RibbonBar gui in Office 2007, but was ready to accept the need to work with it.

But at each step in the learning process , there is nothing but frustration. And I am not alone: read the comments to a post on the Access Team Blog.

A partial random list of annoyances:
  1. There is no way to build or even review RibbonBars natively in Access 2007.

  2. The XML for a RibbonBar does not parse in MS XML Notepad or by using the MSXML dlls - the XML needs to be modified to be read.

  3. Using more than one period (.) in a row in a label breaks the XML.

  4. There is no easy way to get the ImageID of a native image: you have to download an obscurely located Excel file.

  5. The MS Custom Office UI Editor returns malformed XML errors by referring to the line and character number, but - you guessed it - the Editor screen has neither.

  6. There is next to nothing on customizing the RibbonBar in the Access Help file. The only articles where you can get any coherent information have been written by third parties.

  7. If you want to preview a native RibbonBar image in an Access form, you can't use the Access image control - you have to use the MS Forms image control, which is not fully supported in Access.
In one of the comments to the above-mentioned post, well-known Access writer Mike Groh, said:

"Without intellisense and without an Object Browser view of the ribbon hierarchy, it's very, very difficult to make headway on ribbon customization."

A correction: The RibbonBar gui does not have an object model, so the hierarchy has to be viewed in some other way.

On 20 Sep I posted my Custom RibbonX Reviewer BETA, for free download. The Reviewer loads a custom RibbonBar into a treeview to show the full hierarchy, and all attributes and values for each item, as well as displaying the actual RibbonBar. There are also extensive reference resources incorporated into the GUI. The next stage in the project is to deploy the app as an add-in that will work inside the users' ACCDB, and provide in-place editing of RibbonBars using a pseudo-object model.

I sent an email to the Access Team Blog on this app, in the hope I would get some support or feedback. The email has been ignored.