4 Replies Latest reply on Jan 26, 2015 12:40 PM by wimdecorte

    ESS / ODBC Security Question

    Devon Braun

      When setting up or editing an ODBC external data source in FMP you're given three options for authentication:

       

      • Prompt for user name & password

      • Specify user name and password (applies to all users)

      • Use Windows Authentication (Single Sign-On)

       

      Out of caution I've been using only the first.

      Question about the second: where/how does FMP store the user name & password entered?  In the database?  On the server computer?  How secure is this option?  It would be a great convenience to use, but security concerns prevail.

        • 1. Re: ESS / ODBC Security Question
          Mike_Mitchell

          It is stored inside the database file.

           

          As for your "security concerns" (you don't say what they are), I can't tell you "how secure" it is. I've never seen a tool that can recover ODBC login credentials, but that doesn't mean one doesn't exist. If you're concerned about it, you can always use the encryption at rest feature, which should make it awfully hard to crack.

           

          But putting the database on the server and restricting access to that is a really good start, since keeping grubby (or malicious) paws off the database file is a really important security fundamental. And restrict the [Full Access] account carefully (change the default account name to something other than "Admin" and put a strong password on it).

           

          HTH

           

          Mike

          1 of 1 people found this helpful
          • 2. Re: ESS / ODBC Security Question
            Devon Braun

            Thanks for the quick response.  Very helpful already.  And it seems the best-case scenario has users only accessing the db via FMP server. In this case I'm using databases that are not, so it's conceivable someone does indeed get access to the actual db file.  Are those credentials, when stored in the database, encrypted?

            • 3. Re: ESS / ODBC Security Question
              Mike_Mitchell

              The short answer is I don't know.

               

              FileMaker automatically obscures the data in the database file with a week encryption. However it doesn't meet many of the basic security standards that are in force today. Passwords for FileMaker accounts are not stored in the database; they are hashed and the hash is stored. I do not know about ODBC external source credentials, however; because those are used to log into an external database they might not be able to be hashed.

               

              So if you want to be sure that the passwords are encrypted then you should use the at rest encryption feature in FileMaker 13.

               

              Furthermore, most of the hacks that attack FileMaker security depend on access to the actual physical file. If you're concerned about security I would suggest using the encryption at rest feature regardless of whether you're accessing external sources or not. If you can, remove developer access from the file before you deploy it for better security.

              • 4. Re: ESS / ODBC Security Question
                wimdecorte

                databoom wrote:

                 

                Question about the second: where/how does FMP store the user name & password entered?  In the database?  On the server computer?  How secure is this option?  It would be a great convenience to use, but security concerns prevail.

                 

                Not in the database in any data table.  A FM file is one file that holds the database (tables, records) and all the schema (layouts, scripts, accounts,...).

                So it is in the file but not in a data table.