1 2 3 Previous Next 31 Replies Latest reply on Jan 30, 2012 8:09 AM by RayCologon

    Changing security setting using External Server Accounts

    Karnel

      I've seen several posts regarding External Server Accounts (ESA) not being able to change security settings. I actually liked the idea I could setup a local full access account that was the only account that had ultimate control over security, and ESAs could have access to everything (including database management) but not security.

       

      I was using this as added level of security until I realized there is a way for ESA to change security settings! I discovered an ESA can't change existing accounts, but it can create a new full access local account and then use the new account to authenticate the changes. Does anyone know how to prevent an ESA from creating a new full access local account??

        • 1. Re: Changing security setting using External Server Accounts
          RayCologon

          Karnel wrote:

          Does anyone know how to prevent an ESA from creating a new full access local account??

           

          Hi Karnel,

           

          I'm afraid [Full Access] privileges does mean full access, including the ability to access the Manage>Security dialog. This is the case whether the login is authenticated internally or externally. Moreover, while externally authenticated users with [Full Access] privileges may not be able to change external accounts, they will be able to edit privilege sets - as well as create new internally authenticated accounts, as you say.

           

          If you want users to be able to create and edit layouts and scripts, you can assign those permissions to Privilege Sets that are associated with externally authenticated accounts. Then the users will have some design privileges, but won't have access to change security (nor schema).

           

          I should perhaps also mention that it is generally not considered a great idea to have externally authenticated accounts assigned [Full Access] privileges, as it provides a path of increased risk/vulnerability.

           

          Regards,

          Ray

          ------------------------------------------------

          R J Cologon, Ph.D.

          FileMaker Certified Developer

          Author, FileMaker Pro 10 Bible

          NightWing Enterprises, Melbourne, Australia

          http://www.nightwingenterprises.com

          ------------------------------------------------

          • 2. Re: Changing security setting using External Server Accounts
            Karnel

            Ray,

             

            Thank you for your reply!  I was hoping to find a way to grant external accounts everything (including schema) but Manage>Security. 

             

            I suspected there wasn't, but thought I would ask since I'm constantly finding things Filemaker can do that I originally didn't think it could. 

             

            I also appreciate you mentioning the risk/vulnerability of Full Access external account.  I had noticed that in several documents as I was researching this issue.  I am re-thinking our policy on setting up those type of accounts.

            • 3. Re: Changing security setting using External Server Accounts
              BeatriceBeaubien

              Hi Karnel,

               

              There is a way to give access to the schema, without the Manage>Security access; the "Open Manage Database" script step, with "run with full access" selected.

               

              If you give this Super User privilege set access to scripts, value lists and layouts, when an account with this privilege set tries to edit this script step it throws an error and doesn't permit it. It seems to be an effective way to permit everything but security settings changes.

               

              One caveat: I  have tested this strategy but never had the need to implement it, so I don't have real world experience with it in the "wild". Whenever someone thought they needed it, we found a more conservative way forward.

               

               

              Best wishes,

               

              Beatrice Beaubien, PhD

              i2eye, Toronto, Canada

               

              FileMaker Business Alliance

              FileMaker 11 Certified Developer

               

               

               

               

              On Jan 24, 2012, at 16:58, Karnel wrote

               

              Thank you for your reply!  I was hoping to find a way to grant external accounts everything (including schema) but Manage>Security.

               

               

              I suspected there wasn't, but thought I would ask since I'm constantly finding things Filemaker can do that I originally didn't think it could.

               

               

              I also appreciate you mentioning the risk/vulnerability of Full Access external account.  I had noticed that in several documents as I was researching this issue.  I am re-thinking our policy on setting up those type of accounts.

               

              • 4. Re: Changing security setting using External Server Accounts
                Mike_Mitchell

                Ray -

                 

                This is interesting. Can you elaborate a bit on the increased vulnerability with such a setup? The reason I ask is that we are mandated to use AD by company / government policies here. They consider it more secure because of several factors (the ability to terminate a domain account from a central location, automatic strength testing, automatic password expiration, etc.), so it would be interesting to see what the increased vulnerability might be.

                 

                Or is it just what you mentioned - the ability for an externally authenticated group to monkey with the security dialog?

                 

                Mike

                • 5. Re: Changing security setting using External Server Accounts
                  RayCologon

                  Mike_Mitchell wrote:

                  Or is it just what you mentioned - the ability for an externally authenticated group to monkey with the security dialog?

                   

                  Hi Mike,

                   

                  No, the risks go beyond that.

                   

                  If a [Full Access] account is externally authenticated, anyone who can get physical access to the file may try to 'spoof' or partially replicate the EA environment to give them access they are not entitled to - and if that includes [Full Access] privileges, they may be able to tamper with the file and/or to see and reveal substantially more than might otherwise be the case.

                   

                  It's worth noting that there are other risks also, where anyone (who shouldn't) can gain physical access to the files, but having EA for [Full Access] accounts introduces additional risks.

                   

                  Regards,

                  Ray

                  ------------------------------------------------

                  R J Cologon, Ph.D.

                  FileMaker Certified Developer

                  Author, FileMaker Pro 10 Bible

                  NightWing Enterprises, Melbourne, Australia

                  http://www.nightwingenterprises.com

                  ------------------------------------------------

                  • 6. Re: Changing security setting using External Server Accounts
                    Vaughan

                    All you need is a copy of the database file and the names of the external groups, a copy of FMS, and a computer to run it on.

                     

                    Load the file onto your FM server, set up the group names on your server's OS users and groups (no need to set up an OD or AD) and bada-bing-bada-boom you're in. If the [full access] account is EA then the file is completely open and a normal internal account can be created to give full access outside of FMS.

                     

                    This reinforces the fact that the first step in database security is restricting physical access to the files. Including the backups.

                    • 7. Re: Changing security setting using External Server Accounts
                      RayCologon

                      Vaughan wrote:

                      bada-bing-bada-boom...

                       

                      Hi Vaughan,

                       

                      LOL - nothing like putting it right out there! ;)

                       

                      But seriously, that's exactly right. If the person(s) in question are then able to get their copy of the file back onto the production server then all bets are off for security of the production system - which is a hop and a step beyond the worst that can be done with run-of-the-mill crack'n-hack tools.

                       

                      Conversely, providing there are no EA accounts with [Full Access] then the use of EA doesn't really pose a greater threat than would exist anyway in a sitiation where physical access to the files is available to the 'wrong' people.

                       

                      Cheers,

                      Ray

                      ------------------------------------------------

                      R J Cologon, Ph.D.

                      FileMaker Certified Developer

                      Author, FileMaker Pro 10 Bible

                      NightWing Enterprises, Melbourne, Australia

                      http://www.nightwingenterprises.com

                      ------------------------------------------------

                      • 8. Re: Changing security setting using External Server Accounts
                        Vaughan

                        Indeed, I'm not suggesting EA poses more security risk. The critical step is "get a copy of the database file" and THAT sould be the one that is hardest to do in any security-aware environment.

                         

                        Interestingly, my instructions for "cracking" the file through EA illustrate EXACTLY how simple and convient EA is to set up with FileMaker Server. Not a bug, a feature.

                        • 9. Re: Changing security setting using External Server Accounts
                          RayCologon

                          Vaughan wrote:

                          Indeed, I'm not suggesting EA poses more security risk. The critical step is "get a copy of the database file" and THAT sould be the one that is hardest to do in any security-aware environment.

                           

                          Interestingly, my instructions for "cracking" the file through EA illustrate EXACTLY how simple and convient EA is to set up with FileMaker Server. Not a bug, a feature.

                           

                          Agreed. It's also worth noting that FileMaker is not alone in its vulnerability where EA is involved. One might say that EA in general is a trade-off in that it trades convenience of one sort for convenience of another, and reduces some risks while introducing (or perhaps amplifying) others.

                           

                          A good option to have, and to pursue - as long as one is mindful of the trade-offs.

                           

                          All the best,

                          Ray

                          ------------------------------------------------

                          R J Cologon, Ph.D.

                          FileMaker Certified Developer

                          Author, FileMaker Pro 10 Bible

                          NightWing Enterprises, Melbourne, Australia

                          http://www.nightwingenterprises.com

                          ------------------------------------------------

                          • 10. Re: Changing security setting using External Server Accounts
                            Vaughan

                            Last year I implemented EA for a very small company -- just 6 staff. They had the unfortunate occurrance that a previous employee had walked out with a copy of the client database.

                             

                            I set up a FM server with local groups and removed all internal accounts form the files except for full access. The user account was externally authenticated to the host computer with individual accounts for most users and a generic account for temps.

                             

                            Now if anybody gets a copy of the client file they find they cannot open it because their account does not exist in the file, it only has the full access account internally defined. The EA group name was suitably obscure to ensure that it cannot be guessed.

                             

                            I also got them to get a server-grade UPS and now their solution is both secure and unbelievably stable (the power in their area is unbelievably bad).

                            • 11. Re: Changing security setting using External Server Accounts
                              Mike_Mitchell

                              Okay, I get it. Good information. So allowing the "wrong" people physical access to the database files is bad - and I already knew that.

                               

                              But ... I don't get why this is worse than cracker tools that would give such people the full access account and password to the internal FileMaker account in such a scenario. They can still log into the production file, get access to everything (including Manage Security), cause grave damage, and it doesn't require setting up a server, knowing what the EA groups are, etc.

                               

                              I must be missing something. Or is it just the fact that the person has to go out and get the cracker tool if there are no EA groups with full access (which, really, seems kinda trivial compared to having to set up an EA environment - at least to me)?

                               

                              Mike

                              • 12. Re: Changing security setting using External Server Accounts
                                RayCologon

                                Mike_Mitchell wrote:

                                ...Or is it just the fact that the person has to go out and get the cracker tool if there are no EA groups with full access...

                                 

                                Hi Mike,

                                 

                                The issue is that if a tool has been used to tamper with password validation hash strings in a file, the file can't be put back into production (eg with those and other changes) without almost immediate detection - as soon as someone attempts legitimate access to the file using a local account, the fact that internal credential validation has been compromsed will be evident and the game will be up. Ie it's about as subtle as driving through the front doors with a tank.

                                 

                                However if an EA spoof is used to gain access via an EA [Full Access] account, the (modified) file can be re-posted to the live production server and will continue to operate as before - ie any changes made in this way may go undetected. That means that unless there are other measures in place, a "nefarious party" may potentially gain ongoing access and/or make code changes to the production files, without detection.

                                 

                                Regards,

                                Ray

                                ------------------------------------------------

                                R J Cologon, Ph.D.

                                FileMaker Certified Developer

                                Author, FileMaker Pro 10 Bible

                                NightWing Enterprises, Melbourne, Australia

                                http://www.nightwingenterprises.com

                                ------------------------------------------------

                                • 13. Re: Changing security setting using External Server Accounts
                                  Mike_Mitchell

                                  I guess that's true. But we've cracked files (had to, when developers left the company) and extracted the account info, then just used the original file. What stops that?

                                   

                                  Mike

                                   

                                  P.S. Sorry if I seem thick here - I honestly don't understand.

                                  • 14. Re: Changing security setting using External Server Accounts
                                    Karnel

                                    Mike_Mitchell wrote:

                                     

                                    I guess that's true. But we've cracked files (had to, when developers left the company) and extracted the account info, then just used the original file. What stops that?

                                     

                                    Mike

                                     

                                    P.S. Sorry if I seem thick here - I honestly don't understand.

                                     

                                    I so appreciated the extended discussion on this.  My focus has primarily been database design.  I don't have a high level of understanding when it comes to AD and security to come up with all the questions to grasph everything involved.

                                     

                                    We've had to crack files before as well......this is so good to know!

                                     

                                    Karnel

                                    1 2 3 Previous Next