A READER ASKS: Launcher Files And Security Breaches

From Dwayne Wright PMP, PMI-ACP, CSM
Certified FileMaker Developer

WEB: www.dwaynewright.com
EMAIL: info@dwaynewright.com
TWITTER: dwaynewright
YOUTUBE: FileMakerThoughts

A READER ASKS
Ok is there anyway to make a launcher file for a networked database NOT a security breech? I have a launcher file that I do not want to put all user accounts in and when it logs itself in as the default account for the file, those permissions flow through to the networked file creating a situation where I can log in as papa smurf with no password and the system goes, come right in and see what I got! The account is not one that is in the hosted file and I am issuing a relogin command from the opening script in the hosted file. If I don't it just goes right in no security at all. Cool.

This leads me to believe that if I see a file that I can't get into all I have to do is host it, create a launcher file for which I do know the password and launch it that way and I am in like flynn.

This is not the first major security hole I have found but I think it might be the biggest.

Any ideas? Am I missing something glaringly obvious?

Thanks in advance for any light you may be able to shed on this.

-------
DWAYNE RESPONDS
Well, this is a very good illustration of the adverse relationship between productive flexibility and security. There are a number of options you can add to a FileMaker database that introduce potential security holes. There are a huge number of security protection features that make the database more of a challenge for users to deal with. This is one of the main reasons why security of a database solution is never complete. You simply arrive to a point in which you feel comfortable with what you have at the moment.

It is true that anytime a user can have physical access to a file and that file has security related information within it ... there is a definite security risk. It doesn’t matter if we are talking about data or schema. If someone has a file, the resources and the determination ... it may eventually get exploited.

The real answer is to protect the database as much as you can and try to add in the ability to see where you security might be compromised. If you are using FileMaker Server, there are a number of different things you can do to increase the security of the databases it hosts. Most of these are included in the manuals that come with FileMaker Server. Leveraging the built in features FileMaker provides for you is always your first step in securing a solution.

You can add layers on top of the FileMaker default security layer that can enhance your ability to protect your database or to see where a security breach is taking place. Most of these methods can be found in the Get family of FileMaker functions (although there are a couple Design functions and perhaps Custom functions that might be useful).

If you were to log startup information such as the following functions provided ...

Get ( AccountName )
Get ( FileMakerPath )
Get ( HostApplicationVersion )
Get ( ExtendedPrivileges )
Get ( PrivilegeSetName )
Get ( SystemDrive )
Get ( SystemIPAddress )
Get ( SystemNICAddress )
Get ( SystemVersion )
Get ( UserName )

DatabaseNames
WindowNames {( fileName )}

You may have a trail of bread crumbs you can use to detect and isolate security breaches. If you can detect and isolate, you are well on the way to knowing how to best protect the database going forward.

For example, you can record the account logged into the system, its IP address and information about the computer it is running on. If all of a sudden you see an account using a totally new computer, you may want to follow up on what is going on.
=
More info about the author and FileMaker in general, contact me at info@dwaynewright.com.

© 2008 - Dwayne Wright - dwaynewright.com

The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.