14 has that little checkbox for remembering the password for Full Access users.
Not if you check it off in the "File Options"...
Your points are well taken as a precaution but nothing what you say should prevent people from logging into a user's machine with a full access account for troubleshooting.
If they have a key-logger going on then they have a much bigger problem in general that should be tackled elsewhere.
And as a developer you can still change your full access account pw right after the session.
Your last point about changing the password was the best point and the
others somewhat argumentative.
Note that even changing the password might not be enough as a really
dedicated varmint could capture the data during your login, open your
account on another computer and create a new full access account, etc.
Let's see, how many accounts can be opened at one time using the same
account name and passwords? Lots...
We all know how often developers scan the list of user accounts and
assigned privileges, etc. Everybody, raise your hands if it has been a
month or more since you glanced at your security dialog!
I get all you are saying, but what *are* you saying really? That nobody should ever log into any machine with a full access account? Ever?
Of course my points are argumentative because you seem to be warning people not to do anything. You are pointing out the obvious security risks, and they are very worthy of repeating. But how do you suggest people go about their business?
Of course environments should be scanned for all malware. And you should have multiple layers of defence, including retro-actively looking at who logged in with what account, That should help with both preventing unauthorized access and catching after the fact.
What I don't get from your post is a constructive contribution on how to make it better. And that's fine. Warnings are good, the more the better. But at some point we need to translate those in to actionable items that people can do to counter-act them.
So how do you safely log into a user's machine with a full access account?
You are correct in that my 'Caution' may not have listed useful tools.
We no longer need to use a users' computer to log in as full access while
at their desk. A MacBook or laptop using WiFi will do just fine and keep
our full access accounts private and eliminate the need to lose the exact
record a user is working on or upset their stasis.
So, my main recommendation would be to use a MacBook and WiFi with the
acknowledgement that WiFi isn't that secure or to carry an long Ethernet
cable and plug into the hub.
I developed various workarounds since one user was extremely possessive
about 'their' computer especially if I moved icons on their desktop...
Note that Windows Pro and Macs allow using the computer as a base station
which of course raises other security issues.
what are you afraid of, exactly? Somebody stealing your layouts, field definitions and scripts ? Or the whole solution ?
Any developer worth this title would not do that, because it takes more time to understand somebody else's logic than developing from scratch along your own logic, if you are a real developer. If you aren't, be my guest to work out the 9622 scripts, 2061 relationships, 283 tables, 161 layouts and 19930 fields humming in my solution.
Moreover, this forum - and others - plus tons of company sites and custom function sites and blogs are actually disclosing the best and most brilliant ideas in FM developing. For free.
So what is left ? Well, the client's data is left. That's often the most valuable part, not your solution, which only carries that data in its womb. So it's the client's highest interest to avoid messing up with it.