Master Password Avoids a Business Extinction Event

Idea created by krheinlander on Sep 24, 2018

    A malicious admin can, by changing all FULL ACCESS accounts passwords, lock a company out of their core enterprise applications, producing effectively a business extinction event.


    Password breaking tools for FM/Windows are available but looked at - rightfully - as a potential piracy path. And if the file has EAR turned on, even this path is inaccessible.


    In the data center world, this is mitigated with Privileged Access Management (PAM) solutions; something that FileMaker should adopt to avoid scenarios like the ones below, to provide system integrity and reduce risk of a system lockout destroying a business that relies on FileMaker.


    I have a customer that this has happened to twice in the last 12 years, where the FM full access account locked the program full access accounts and quit and put a halt in the startup script. The only solution was a password reset with a commercial password reset tool. If the solution had had EAR turned on, the passwords would not have been recoverable, and it would have destroyed the company.


    As with commercial password managers, a master password to unlock the kingdom of stored passwords would be that safety net.


    So here is a scenario:

    1. Small company, no IT staff, outside developer (s).
    2. The developer gets disgruntled for whatever reason - not relevant
    3. Developer corrupts the backup process retaining the backups, by eliminating the critical files from the backup set - no error generated, no indication of anything amiss. Everything looks fine on the surface.
    4. The developer changes all the FULL ACCESS logins, and may have changed those passwords at the start of this nefarious effort, a few weeks ago, but no one else uses the full access accounts regularly, so no one else knows that backups or editing capabilities were now inaccessible, and had been for some period of time. This effectively makes all the backups over that time, inaccessible as well.
    5. The developer screws up the startup script so the program will not start.


    • The company can reset the server (pin) admin password and re-establish the backup process.
    • They cannot execute the enterprise FM solution
    • They cannot get into the code to make changes or fix access.
    • The restored backups - at least for the last few weeks - exhibit the same symptoms - unrecoverable data gap


    • The file is NOT encrypted - EAR - so a password recovery program gains you access. Back in business


    • The file IS EAR - now you cannot gain access to the solution, and ........


      • Work stops
      • customer orders are unfulfilled
      • Staff is laid off
      • company closes


    You have experienced what is likely a Business Extinction Event.


    Recouping damages from an individual that wholly compensates a substantial established business is unlikely. Reputation alone, to say nothing of the damage to employees and their families, loss of unique skills to other jobs, downtime, client dissatisfaction and cost to recover clients (if even possible in your market) and business, would be substantial if not fatal.


    My idea is that FM provides a MasterPassword admin account -  inaccessible from any other full access account - that can be used in this situation to recover the program. All would be fine if there were this master password - something that is NOT accessible from within the login security model but does grant access to those login security settings, regardless of any other login's restriction on file access.


    In the data center environment, this process is called Privileged Access Management, where you control not only who has privileged access (old school), but who can change the privileged access, and recover from a loss of access of any/all privileged accounts. It allows re-establishing control by maintaining a separate bastion environment untouched by malicious intent, isolated.


    It could come with a default for all files, but be set by the owner, and maintained off-line in the hands of someone with fiduciary responsibility for the company, like a corporate officer, or better yet, stored in a company safe, just for such an occurrence.


    I think the easiest - from an existing UI perspective - would be if FMI were to add the access to login account management as an extended privilege checkbox, so you could shut it off for any privilege set you wanted, as a flag on an otherwise full access [limited] account, whereas a regular full access account would be like today's.


    A more restrictive - and adding an additional risk path from a lost master password - would be using today's FM login account management access, where you need to login twice. It could be, that IF you are set up with this master password turned on, you would only be able to get to the security model through the first login screen, with that master password credential set.


    The PIN recovery model as used in FMS, might also be a path.


    In any case, since EAR, this has become a more significant potential problem.


    There is a related, but a completely different set of reasons for a very similar thing here:

    Protect the developer work - SuperUser, a new master privilege set