Security Fix for SQL Server and MSDE Released

Microsoft today released
Security Bulletin MS08-040 – Important Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203):

This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

This security update is rated Important for supported releases of SQL Server 7.0, SQL Server 2000, SQL Server 2005, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that SQL Server manages page reuse, allocating more memory for the convert function, validating on-disk files before loading them, and validating insert statements. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Access Security Alert: Snapshot Control

Microsoft has today posted Security Advisory 955179, which contains information regarding active targeted attacks using a vulnerability in the Snapshot Viewer Active-X control in Access 2000, Access 2002 and Access 2003.

Currently only manual workarounds are included in the Advisory. Although these workarounds help block known attack vectors, the underlying vulnerability is not corrected.

MS says attacks appear to be targeted and not widespread.

Office 2007 Security Guide

Understanding the 2007 Microsoft Office Security Guide This guide from Microsoft sets out best practices and automated tools to help strengthen the security of computers running Office 2007 on Windows XP/Vista.

Access 2007 Security

These two articles from Microsoft will give you an overview on how security in Access 2007 differs from previous versions:

• Getting Started with Access Security
• Encryption vs. Encoding

New Office 2007 Security Tool

Microsoft is scheduled to release a software tool to better tweak the security settings of Office 2007. The application offers detailed documentation of the security settings in Office 2007, as well as a free Group Publish PostPolicy Object Accelerator that allows administrators to change and set security policies across users through Active Directory. Full story

Office 2007 Security Guide

The 2007 Microsoft Office Security Guide (9Nov07) provides prescriptive Group Policy setting and security configuration recommendations to help strengthen the security of computers running the 2007 Microsoft Office release on computers that run Windows Vista or Windows XP in domain–based environments.

Protect Your Access MDE's

I was reminded today of the security leaks that exist in MDEs. While the VBA code is stripped, declarations and procedure stubs are retained in the MDE file, and object designs can be hacked.

There are some on the Web, who should know better, selling so-called MDE unlockers and protectors. Ethically, there are two issues here:

1. These apps are marketed as protection aids, but they can also be used by the unscrupulous to do the opposite: get past MDE protection of someone else's database.
   
   
2. How these apps do what they do is not a secret and can be done by anyone with retail Access. If you want to improve the protection of your MDEs or you genuinely need to get into one of your MDE's, before spending any money on these products, read on.
   

On 1 May 2004, I posted on the MDE security issues and protection. The post has been updated and is set out below. Please note that the following does not apply to Access 2007 and ACCDE's, but can be applied to Access 2003 MDB's secured in Access 2003 and then compiled as an MDE in Access 2007. For reasons unknown Microsoft removed Access security from Access 2007.

Did you know that:

1. You can access the Start-Up properties (such as disabling the Shift key bypass) of an MDE through another MDB and change each property.

2. You can open an unsecured MDE with the Shift key, press Ctrl+G to open the Debug window, press F2 to open the Object Browser, and then search all the code modules for procedure stubs, declarations, and constants.

3. You can import all the form and report objects but not the code from an unsecured MDE into an MDB.

Securing An Access Database

To effectively secure an Access MDB you MUST demote the Admin user from the Admins group. Otherwise your database will not be secure, as Admin cannot be removed from the Users group, and anyone using the retail system.mdw file logs on automatically as Admin.

1. Use the Access Workgroup Administrator (AWA), wrkgadm.exe, to create a new workgroup (.mdw) file.

2. Join the new workgroup using the AWA.

3. Make a backup copy of your MDB.

4. Open Access and the database to be secured.

5. Using Tools, Security, User and Group Accounts..., in the User and Group Accounts dialog:

5.1 Create a password for Admin user.

5.2 Create a new user account. This account will be the new database owner account. For example, call the owner account DBOwner. Add "DBOwner" to all groups, including the critical Admins group.

5. Close and re-open Access, logging on as "DbOwner", and leaving the password blank, as you have not assigned one yet.

7. In the User and Group Accounts dialog, demote the Admin user account by removing it from the Admins group. Now Admin is only a member of the Users group and will have only those permissions assigned to that group by "DBOwner".

8. Create a password for "DBOwner".

9. Close and re-open Access, logging on as "DBOwner" using the password you created in step 8.

10. You can now start to secure the objects in you database.

11. In Access 2000 and later, you also need to additonally secure your code by using Password Protection in the VBA Editor.

Special Notes:

• You don't have to distribute your MDW file with your MDE to protect it using this method
  
  
• A User account inherits the permissions of the Group to which it belongs.

Testing:

I have tested an MDE protected with Access security and Password Protection in the VBA Editor with the demos of these two products: Access MDE Unlocker and Access MDE Source Protector, and both products failed to unlock the MDE.

You should test your own MDEs before distribution.

Caveat:

There is no bullet-proof protection against an expert hacker.

Security In Access 2007

Workgroup security has been dropped from Access 2007, which I personally see as a big negative.

In many Access applications users can create new objects at runtime, such as queries, forms and reports. A compiled MDE/ACCDE will not cut it as you can't protect your developer objects and code, and allow users to create their own objects. In prior versions of Access 2007, you could selectively protect developer objects and give users permissions to create new objects, using the very robust Access workgroup security features. This means that many of my Access application and add-ins will not be distributed in the Access 2007 format. One wonders if the Microsoft Access development team considers the views of developers and users.

Having said this, MSDN has just published an article by MVP and fellow-Aussie, Garry Robinson, Security Considerations and Guidance for Access 2007, which is the first comprehensive discussion of security in Access 2007.

Gary has also written a valuable book on pre-Access 2007 security: Real World Microsoft Access Database Protection and Security.