Is Microsoft Access hosting secure?

How to improve security in Microsoft Access using hosted remote desktops

Microsoft Access isn’t necessarily the most secure of applications and to be fair it isn’t designed to be.  If water tight security is a requirement see later in this article about combining Access with other database engines.  However, there are a number of ways of improving the security in Microsoft Access.   One important point to mention is that this isn’t a developer’s guide or how to guide, there are many articles online who can cover that much better than I.   This is more about using security at an infrastructure level and in particular securing Access using a hosted remote desktop service.

Microsoft Access Security covers two areas, preventing users from accidentally breaking something, and preventing mischievous users or external hackers from accessing data they shouldn’t.

Options within your Access application to make it more secure

Most importantly with Access you want to prevent users seeing or “playing” with things they shouldn’t.  So you need to hide the Toolbar “Ribbon”, Hide the Navigation Pane, and disable the ability to use Special Keys, i.e. the special keys that will unhide the Navigation Pane.

Anyone who knows a little bit about Access will know that pressing the Shift Key when opening the application will bypass the Start-Up code.  That is, the code you just put in to hide the ribbon.  So you need to add some code to prevent this working.  As with the items above just search in Google on preventing users bypassing start-up in Access and you will get some good code samples.

Making Access more secure by splitting the database and compiling the front end

Unless you are the only user then you should split the database as a matter of course.  It’s a simple process and makes for a much more secure and stable application with less risk of corruption.

When you split the database you create a back-end which contains the tables and then a front-end that contains the forms, queries and reports.

After you’ve split the database do a second step to save the front-end as a “.accde” file, that is a compiled executable, and distribute this file to the users.

Where users only have the .accde file they cannot change the design of the database or give themselves access to anything they shouldn’t

Using this method you can also prevent users having any access to the back end by saving it on a network somewhere with tight security so that only the front end application can access it.

Encrypt the back-end database with a password

Under the assumption that a hacker (or internal user with more access rights than perhaps they should have) could potentially get to the back-end database on your network you can encrypt the back-end file using a password.

There is a caveat to this, it is a fairly simple process for a user to find out that password.   Access has some hidden system tables, if a user is able to find these in their front-end application then one of these system tables will show the connection properties to the back-end including the password completely visible in plain text.

So preventing users getting access to the back-end file is key.

Using a hosted remote desktop to make Access more secure

On a hosted desktop the drive containing the front-end and back-end files can be completely hidden and inaccessible to the user.  They won’t be able to browse to them and can’t access them even if they could.

The hosted desktop is completely locked down, preventing the user from messing in areas of the operating system they shouldn’t.

There are various locked down connection options such as Remote Apps where all the user has is an icon on their local desktop for the remote Access front-end application and nothing else, so they can’t access the full remote desktop and start trying to hack into things.

You can also present the application on the remote desktop through a web browser again restricting the user to just the front-end and not letting them anywhere near the back-end or the network it sits on.

Database backups

Of course securing your database isn’t just about preventing unauthorised access to it, it is just as important to protect your database from being lost or damaged whether accidentally or maliciously.   Backing up your database is often the only get out of jail card if your systems are attacked by ransomware.

A good hosted desktop provider will back up your database as part of the service and keep copies going back several weeks or more if requested.

When hosting an Access database application on a hosted desktop you will also be taking advantage of all the other security measures that the provider will have in place.  This should include physical security at the data centre, including 24 hr manned security, as well as enterprise level firewalls and encryption.

What if the security in Microsoft Access is still not good enough?

We mentioned at the top of the article that Access isn’t inherently that secure, so if security is something that needs tightening up then consider moving to a SQL Express or SQL Standard database which you can connect to from your Access front-end.   These can both be included on a hosted remote desktop service.

Access hosting from Your Office Anywhere

Your Office Anywhere are ISO 27001 certified for our Information Security Management system and are the UKs leading provider of hosted desktops for Access database applications.   If you would like to know more about the security of Access on this platform please get in touch with one of our sales consultants who can answer any questions you may have.  Just go to our contact page here or call 01282 906041.