foxpro security question

I have 1 FoxPro client that I service once a year for a few weeks. I'm not
remotely a FoxPro expert. The app is still in VFP6 and that's fine for now.
I may end up converting the whole thing to Access since it's pretty small
and low usage. It'd be easier for me to maintain that way. Anyway, I'm
trying to find out about the security available in Fox. Their company has
come up with a new policy that's going to require that the database be
secured to some degree. Right now it's not in a container. It was originally
a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
ago. So the tables are all free. Other than doing things like securing
folders on the network and such, is there any way within VFP6 (or even later
versions maybe) of securing the tables so they cannot be tampered with?
Obviously right now anyone can get into them even if they just have odbc on
their system and they have access to the folder the files are in. Anyone
with MS Access can get at them. We'd like to tighten it up a bit if
possible.

Thanks in advance,

Keith

Dan
Wed May 04 13:42:26 CDT 2005

Security has never been a feature of the DBF file format and likely never
will be.

There are third party products that can provide encryption of the data, but
the app would need to be modified to handle encryption/decryption as needed.

Later versions of VFP introduce database features not supported by the ODBC
driver, which could effectively block that avenue for access, but those
features are not available for free tables.

If a user has access to the data via the application, though, presumably
they have OS-level access to that directory. If they already have access to
the data, why would it matter that they can get there through ODBC?

Dan

Keith G Hicks wrote:
> I have 1 FoxPro client that I service once a year for a few weeks.
> I'm not remotely a FoxPro expert. The app is still in VFP6 and that's
> fine for now. I may end up converting the whole thing to Access since
> it's pretty small and low usage. It'd be easier for me to maintain
> that way. Anyway, I'm trying to find out about the security available
> in Fox. Their company has come up with a new policy that's going to
> require that the database be secured to some degree. Right now it's
> not in a container. It was originally a Fox 2.6 for DOS app that we
> just grungily moved over to VFP a few year ago. So the tables are all
> free. Other than doing things like securing folders on the network
> and such, is there any way within VFP6 (or even later versions maybe)
> of securing the tables so they cannot be tampered with? Obviously
> right now anyone can get into them even if they just have odbc on
> their system and they have access to the folder the files are in.
> Anyone with MS Access can get at them. We'd like to tighten it up a
> bit if possible.
>
> Thanks in advance,
>
> Keith

Eric
Wed May 04 13:44:07 CDT 2005

No, you can't secure your tables with VFP. Like you said, you have to set
file/folder security on the file server. IMO, Access security isn't any
better. True, you can protect the MDB with a password, but it can be hacked
with the proper tools.

If you need better security, you should upgrade to a database server such as
MSSQL or Oracle.
--
Eric den Doop
www.foxite.com - The Home Of The Visual FoxPro Experts - Powered By VFP8

"Keith G Hicks" <krh@comcast.net> wrote in message
news:ukryAeNUFHA.4092@TK2MSFTNGP12.phx.gbl...
>I have 1 FoxPro client that I service once a year for a few weeks. I'm not
> remotely a FoxPro expert. The app is still in VFP6 and that's fine for
> now.
> I may end up converting the whole thing to Access since it's pretty small
> and low usage. It'd be easier for me to maintain that way. Anyway, I'm
> trying to find out about the security available in Fox. Their company has
> come up with a new policy that's going to require that the database be
> secured to some degree. Right now it's not in a container. It was
> originally
> a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
> ago. So the tables are all free. Other than doing things like securing
> folders on the network and such, is there any way within VFP6 (or even
> later
> versions maybe) of securing the tables so they cannot be tampered with?
> Obviously right now anyone can get into them even if they just have odbc
> on
> their system and they have access to the folder the files are in. Anyone
> with MS Access can get at them. We'd like to tighten it up a bit if
> possible.
>
> Thanks in advance,
>
> Keith
>
>

Leemi
Wed May 04 14:53:06 CDT 2005

Hi Keith:

As you have read, VFP does not have a comprehensive solution for security.
If security is a primary concern, then I suggest moving the data to a
database that offer security built-in, such as SQL Server or Oracle.

You could still connet to the data from VFP using remote views, SQL Pass
Through, or cursoradapters, in VFP 8.0 and later.

I hope this helps.

This posting is provided "AS IS" with no warranties, and confers no rights.

Sincerely,
Microsoft FoxPro Technical Support
Lee Mitchell

*-- VFP9 HAS ARRIVED!! --*
Read about all the new features of VFP9 here:
http://msdn.microsoft.com/vfoxpro/

*--Purchase VFP 9.0 here:
http://www.microsoft.com/PRODUCTS/info/product.aspx?view=22&pcid=54787e64-52
69-4500-8bf2-3f06689f4ab3&type=ovr

Keep an eye on the product lifecycle for Visual FoxPro here:
http://support.microsoft.com/default.aspx?id=fh;[ln];lifeprodv
- VFP5 Mainstream Support retired June 30th, 2003
- VFP6 Mainstream Support retired Sept. 30th, 2003

>Security has never been a feature of the DBF file format and likely never
>will be.

>There are third party products that can provide encryption of the data, but
>the app would need to be modified to handle encryption/decryption as
needed.

>Later versions of VFP introduce database features not supported by the ODBC
>driver, which could effectively block that avenue for access, but those
>features are not available for free tables.

>If a user has access to the data via the application, though, presumably
>they have OS-level access to that directory. If they already have access to
>the data, why would it matter that they can get there through ODBC?

>Dan

>Keith G Hicks wrote:
> I have 1 FoxPro client that I service once a year for a few weeks.
> I'm not remotely a FoxPro expert. The app is still in VFP6 and that's
> fine for now. I may end up converting the whole thing to Access since
> it's pretty small and low usage. It'd be easier for me to maintain
> that way. Anyway, I'm trying to find out about the security available
> in Fox. Their company has come up with a new policy that's going to
> require that the database be secured to some degree. Right now it's
> not in a container. It was originally a Fox 2.6 for DOS app that we
> just grungily moved over to VFP a few year ago. So the tables are all
> free. Other than doing things like securing folders on the network
> and such, is there any way within VFP6 (or even later versions maybe)
> of securing the tables so they cannot be tampered with? Obviously
> right now anyone can get into them even if they just have odbc on
> their system and they have access to the folder the files are in.
> Anyone with MS Access can get at them. We'd like to tighten it up a
> bit if possible.
>
> Thanks in advance,
>
> Keith

Eugene
Wed May 04 18:58:36 CDT 2005

Keith G Hicks wrote:
> I have 1 FoxPro client that I service once a year for a few weeks. I'm not
> remotely a FoxPro expert. The app is still in VFP6 and that's fine for now.
> I may end up converting the whole thing to Access since it's pretty small
> and low usage. It'd be easier for me to maintain that way. Anyway, I'm
> trying to find out about the security available in Fox. Their company has
> come up with a new policy that's going to require that the database be
> secured to some degree. Right now it's not in a container. It was originally
> a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
> ago. So the tables are all free. Other than doing things like securing
> folders on the network and such, is there any way within VFP6 (or even later
> versions maybe) of securing the tables so they cannot be tampered with?
> Obviously right now anyone can get into them even if they just have odbc on
> their system and they have access to the folder the files are in. Anyone
> with MS Access can get at them. We'd like to tighten it up a bit if
> possible.
>
> Thanks in advance,
>
> Keith
>
>


The easiest plug in solution would be encrypting the data. Have a look
at http://www.hallogram.com/cryptor/

Keith
Wed May 04 20:55:08 CDT 2005

Thanks all for the information. Pretty much as I suspected. Much
appreciated.

Keith

dave
Thu May 05 22:38:43 CDT 2005

The problem with security is limited to - in a foxpro application - if
foxpro can access the files, the user can - and can likely delete them,
delete is a permission that can be controled by permissions.

if you run the application as a terminal service, you can limit the user
to just the application, so access to the files is prevented - security
is enhanced.

If you run the application using com object's better, over https better,
from an intranet behind a vpn .....

Keith G Hicks wrote:
> I have 1 FoxPro client that I service once a year for a few weeks. I'm not
> remotely a FoxPro expert. The app is still in VFP6 and that's fine for now.
> I may end up converting the whole thing to Access since it's pretty small
> and low usage. It'd be easier for me to maintain that way. Anyway, I'm
> trying to find out about the security available in Fox. Their company has
> come up with a new policy that's going to require that the database be
> secured to some degree. Right now it's not in a container. It was originally
> a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
> ago. So the tables are all free. Other than doing things like securing
> folders on the network and such, is there any way within VFP6 (or even later
> versions maybe) of securing the tables so they cannot be tampered with?
> Obviously right now anyone can get into them even if they just have odbc on
> their system and they have access to the folder the files are in. Anyone
> with MS Access can get at them. We'd like to tighten it up a bit if
> possible.
>
> Thanks in advance,
>
> Keith
>
>

wpa
Fri May 20 21:53:56 CDT 2005

I have a big application written in FPW2.6 and it has the necessary
security. The main idea is to run the application under another user
account, which is the only that has access to the dbf files. If you want, I
can tell you more.

Walter


"Keith G Hicks" <krh@comcast.net> escribió en el mensaje
news:ukryAeNUFHA.4092@TK2MSFTNGP12.phx.gbl...
> I have 1 FoxPro client that I service once a year for a few weeks. I'm not
> remotely a FoxPro expert. The app is still in VFP6 and that's fine for
now.
> I may end up converting the whole thing to Access since it's pretty small
> and low usage. It'd be easier for me to maintain that way. Anyway, I'm
> trying to find out about the security available in Fox. Their company has
> come up with a new policy that's going to require that the database be
> secured to some degree. Right now it's not in a container. It was
originally
> a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
> ago. So the tables are all free. Other than doing things like securing
> folders on the network and such, is there any way within VFP6 (or even
later
> versions maybe) of securing the tables so they cannot be tampered with?
> Obviously right now anyone can get into them even if they just have odbc
on
> their system and they have access to the folder the files are in. Anyone
> with MS Access can get at them. We'd like to tighten it up a bit if
> possible.
>
> Thanks in advance,
>
> Keith
>
>

Keith
Sat May 21 08:36:38 CDT 2005

Thanks for the response.

If you're talking about the access "database password" feature, you're
right. That is a very weak way to protect an mdb file. However, the more
sophisticated security tools provided with MS Access are a bit better than
that and apparently not as easy to crack. I'm not sure how much better it is
but I've read several posts and websites on the subject and they all
indicate that it's pretty good (not to be confused with PGP :)).

I aslo wouldn't want to rely on the built in MS SQL security entirely. From
all my SQL research I've discovered that is fairly weak as well.

Thanks again,

Keith

"Eric den Doop" <ericdendoop@xspamblockxfoxite.com> wrote in message
news:eEgRWjNUFHA.3944@tk2msftngp13.phx.gbl...
No, you can't secure your tables with VFP. Like you said, you have to set
file/folder security on the file server. IMO, Access security isn't any
better. True, you can protect the MDB with a password, but it can be hacked
with the proper tools.

If you need better security, you should upgrade to a database server such as
MSSQL or Oracle.
--
Eric den Doop
www.foxite.com - The Home Of The Visual FoxPro Experts - Powered By VFP8

"Keith G Hicks" <krh@comcast.net> wrote in message
news:ukryAeNUFHA.4092@TK2MSFTNGP12.phx.gbl...
>I have 1 FoxPro client that I service once a year for a few weeks. I'm not
> remotely a FoxPro expert. The app is still in VFP6 and that's fine for
> now.
> I may end up converting the whole thing to Access since it's pretty small
> and low usage. It'd be easier for me to maintain that way. Anyway, I'm
> trying to find out about the security available in Fox. Their company has
> come up with a new policy that's going to require that the database be
> secured to some degree. Right now it's not in a container. It was
> originally
> a Fox 2.6 for DOS app that we just grungily moved over to VFP a few year
> ago. So the tables are all free. Other than doing things like securing
> folders on the network and such, is there any way within VFP6 (or even
> later
> versions maybe) of securing the tables so they cannot be tampered with?
> Obviously right now anyone can get into them even if they just have odbc
> on
> their system and they have access to the folder the files are in. Anyone
> with MS Access can get at them. We'd like to tighten it up a bit if
> possible.
>
> Thanks in advance,
>
> Keith
>
>