New Client has no domain/entra, entire product based on Access... help me articulate why it's bad(?)

Posted by Time_Turner@reddit | sysadmin | View on Reddit | 24 comments

I think I failed today. I was working with someone who wanted help setting up win server to do some sort of weird thing with scripts and running access... Like, it has a file watcher that triggers on a file being added, executes a batch file to run Access as one of 20-odd separate users local profile (why different users? To have different process I guess? As well as to be able to be logged-into as... idk) They have this Access program that is basically their entire product/system, manages security devices/keys or something.

And it just gave me that feeling of "yeah, this is that kind of situation", aka the ick, aka the "I know this is bad, I just describe why". Because I just don't know Access to be honest... maybe this is completely fine, and until they hit performance problems it will work for decades to come, like a bank running off COBOL and AS/400s.

They have no domain or Entra ID. They asked me why they would need one, I list off typical talking points, but like, they just have desktops that are one per person in their office, a small company, and use a network share to hold the access database and share files. I just kind of froze cause I honestly have never had to sell why you'd need to modernize your environment onto M365 + Intune instead of just local users and O365 if you didn't have a reason to. Why would they need an AD domain if they've never needed one before for exchange or get benefits of managing said desktops? I completely failed to sell the security benefits of it. If they get ransomware? "Just restore backup on the NAS". Bad employee/bad actor? "Just keep them out of the office."

They have big name customers... but they don't need compliance for some reason I guess, which alone would be reason they would want a domain + intune..etc.

Access databases are just sitting on this NAS. Users log in via an entry form made in access, (to their credit it tracks their IP, if IP changes it doesn't let them in I guess? I didn't press on it). It looks well developed enough that I think they hash the passwords? I hope, I'm not certain. I just figure that can't possibly be secure to roll-your-own auth into an access database, right? Maybe that's perfectly fine, I have no clue I just get the ick from it.

Apparently they tried moving to SQL but it was slower (??? bad setup??). They just use multiple access DBs per customer to circumvent limitations on file size.

I don't know enough about MS Access to know if its something you simply can't get away with using anymore if by their own words "it works just fine". I didn't attempt to talk much about it, since the last time I messed with Access was in 2002 as a kid making my first "program".

I just know MS Access and VisualBasic are tending to go the way of the dodo. But if you can't explain why this setup is bad beyond it being "old school/Jank" and giving you the ick because you hear from people who know better that these aren't "production ready" products/systems, how could you convince or recommend they get off it? Or that they need Entra + intune.

[-]

Smith6612@reddit

Oh man...

https://howfuckedismydatabase.com/

The rest of that sounds like a nightmare ready to pop. Surprised they've made it this far without, what sounds like, centralized management.

But props to those who know Access well enough to build something like this. Takes some creativity, that's for sure.

[-]

Time_Turner@reddit (OP)

It sounds like a nightmare, but how do you explain why? The scenarios in my head don't sound compelling enough. They are sort of "what ifs" or "nice to haves".

[-]

BrainWaveCC@reddit

If you cannot look at a prospect's situation, and articulate to them an actual problem beyond "that's not best practice," then they either do not have a problem, or you simply don't have a business opportunity.

If you do articulate it, and they are unmoved by your answer, then -- from their perspective -- they still do not have a problem, and your time is better spent elsewhere.

[-]

Altniv@reddit

Just as an example, all security protections are in essence “what ifs” and “insurance policies” until they become “what happened”

[-]

distgenius@reddit

Scenarios aren’t worth much, but dollars are. It is highly likely that taking this ad hoc monstrosity they have built over the years and turning into a full fledged application would cost more than they can afford to spend. The only way to make it make sense to them is to show how different failure paths cost $X, and how likely that failure outcome is. Those costs and likelihoods would need to be more than the cost of all the remediation you’re suggesting. If you can get into productivity and labor costs around managing the current setup, that might help. Don’t speak tech, speak finance.

Normally I’d say an avenue of approach might be related to business insurance or compliance, but if they’re sticking their heads in the sand there I doubt you’ll gain much ground appealing to either.

[-]

adestrella1027@reddit

Excel 😆 Not a database. Thought I was fucked for a moment there.

[-]

Smith6612@reddit

That's just saying you're fucked but with extra steps.

randomugh1@reddit

The risk is lack of third party support. What do you do when it just stops. No one knows why it stopped and the business has stopped and is waiting on you. The original developer is long gone or dead and they look to you to fix it. You look to restore the latest backup and that’s when you find out the scheduled task was under the original developers account that was disabled and backups haven’t run in years.

You dig in and determine they’ve hit some limit and there’s no work around. You have to archive data out into another file or archive that one and start a new file (they have 20 already?). They lose 5 days of business and miss deliveries and their customers charge back $30k/ day for line stoppage and the company passes that on to you.

This company needs a migration plan to a supported platform backed by a company that can handle the chargebacks. Or hire back/raise the dead to keep the original developer on.

lordlionhunter@reddit

I think you can make good headway supporting Access. It’s a 365 application, getting regular updates not some XP era compatibility mode run software. I’ve supported worse professionally.

For an application to be that developed it won’t be new, It’s more likely to be Access 97, maybe Access 2000.

Kamikaze_Wombat@reddit

Multiple DB files for the same customer... That sounds like a problem waiting to happen. Also, OD be willing to bet the usernames and passwords are just in a table somewhere in one of the Access files, not hashed. But the file itself is password protected or something like that.

Icolan@reddit

I'm almost dreading asking this, but what are they doing for backups?

vCentered@reddit

Some people are beyond help. They've got it to work like this and that's all the validation they need that it's acceptable.

Had a guy who owned a construction business that got ransomwared and brought my firm in to help out. They had no domain, RDP open to the world, no backups, his account (got hacked) had access to everything, no antivirus/EDR.

I basically pitched rebuilding everything with AD, off-site backups, MFA, VPN, EDR, the works.

"You haven't explained to me why I need all that, you're just taking advantage of my situation."

I told our VP we should walk away and we did.

slowclapcitizenkane@reddit

I can count on zero hands the number of times I saw a company run a multi-user system based entirely around Access without fucking themselves.

aguynamedbrand@reddit

This quote I heard somewhere seems like it applies here.

If you can’t explain it then you don’t understand it and neither will your audience.

mad-ghost1@reddit

Just checked if this was an April fools…. Sounds interesting. Let’s get a copy of the access. Seams like the way forward with increasing cost of cloud tools 😂🤪. just kidding…. Run fast and block that email domain!

brkdncr@reddit

This will be the new salesforce in 5 years.

RCTID1975@reddit

Repeat after me: not everyone needs to be your client.

This is one of those scenarios where you walk away. This will cost you far more money than you will ever make from them, and could damage your reputation

bleedingjim@reddit

Do they have cyber insurance?

badlybane@reddit

This is literally the first time I have heard of this. I mean yea access and local users. An work. The reason sql did not work is likely because they tried sql express and their dB is likely massive .

Sqlexpress or free sql has a nice little hitch in the the bigger the dB the slower it get by design. There is size limitations etc. If they went to an actual licensed sql server with enough ram to run everything there then it should scream.

Here is the problem the dB is just a file with an acl. Thats likely not encrypted. So one woukd nee to copy the dB and then brute force it. Also there is no kerberos auth and likely most of the data is plaintext on the wire.

Passwords are basic etc. They could not publish anything public with this without risking their prod dB. They are just severely limited.

If they want to do this limit access etc. Rather than access they should go gnu. Nosql or mongodb. Then go full linux. Linux is much better for isolated security and development. Vs windows which really needs ad to layer on sec to for full IAm. If they aren't using office. Then why pay for windows and access license when they could go full gnu.

You can guild and enterprise on Linux and bolt of kerberos smb etc. And build and environment vs windows which without av ad etc is a Swiss cheese os.