Locks, Keys, and Lock-Picking

By

Steven H. Blackwell

Platinum Member Emeritus, FileMaker Business Alliance

Recently, an experienced FileMaker Pro developer posed a question on developer group list about the behavior of FileMaker Pro files. Paraphrased, that question is as follows:

We've come across a small, but possible, security issue.



If a user has clicked the "Remember my password in my keychain", 
anyone can log in to the FMP system if the person has access to the computer.

Is there a way to prevent or manage this?

First, this is a good question. It pertains both to Macintosh and to Windows OS, even though the latter doesn’t have KeyChains.

Second, this really is not a FileMaker issue per se. It’s an OS level security issue and turns on how to control unintended access to network resources (or sometimes to local ones) from an authenticated workstation. A principal use of the KeyChain with FileMaker Pro on Macintosh OS is to mimic the Single Sign On capability found with External Server Authentication on the Windows OS.

The general threat vector here is focused on a workstation left unattended and thus vulnerable to having its log-in or similar information misused to access some digital or physical resource such as a FileMaker file or a network share.

In the same thread, another developer noted you can begin a hardening process for the workstation by using the option to require a password to wake from screen saver. Expanding on that approach, you can cause further hardening by utilizing other options for workstation management. These however may be very onerous or not practical.

Third, there are ways to manage the KeyChain itself, some of which are found in an Apple Support Forum thread. https://discussions.apple.com/thread/3048021?start=0&tstart=0

Some of the information regarding FileMaker Pro contained in that Apple Forum thread is, I believe, incorrect. FileMaker Pro does not automatically store log-in credentials for a file in the KeyChain; a user must select that option. So, the question then becomes, as originally asked, how can that practice be prevented or (alternatively) how can the effects of such storage be mitigated or overridden?

In the KeyChain utility, under the Edit Menu, you can require that the LogIn KeyChain be entered after a number of minutes of inactivity. This is probably better that the screen saver option.

At one time, before the introduction of Snow Leopard and Lion, it was possible to restrict the ability for the KeyChain to work with certain applications. I do not know whether that is still the case. Perhaps someone else can state definitively.

The problem with these settings, however, is that they are accessible to the end user unless an Administrator has set up the workstations and restricted user access. So unless the organization has taken these restrictive steps, there are weaknesses to this approach.

Another way to force log-outs of the workstation, and thus require a re-authentication, is through the use of proximity devices. This procedure is employed in many organizations. Basically there is a device attached to the computer and a device attached to the user (usually a card or a USB type device). If the two devices are separated by some pre-defined distance, the workstation is forced to log-out.

Fourth, there are ways to make FileMaker Pro ignore the KeyChain and still require the user to provide credentials. The following FileMaker Pro Pro script can be used for that purpose. This presumes an auto-log-on process with an Account and password attached to a Privilege Set called “LowLow” with the script set to run on launch:

Allow User Abort [ Off ]

Set Error Capture [ On ]

If [ Exact ( Get ( AccountPrivilegeSetName ) ; "[Full Access]" ) ]

Exit Script [ ]

End If

Re-Login [ ]

If [ Exact ( Get ( AccountPrivilegeSetName ) ; "LowLow" ) ]

Beep

Beep

Close Window [ Current Window ]

// Exit Application

End If

The effect of this script is to initiate a Re-Login when the file automatically opens with the auto-login. If the Account Privilege Set Name remains that of the auto-login Account, the system responds to block access. You can have it close the window or exit altogether as you wish.

Such a script’s accessibility must be controlled through the various Privilege Sets so as to prevent its being bypassed or tampered with by an external attack. File Access Protection options in FileMaker® Pro 11 can assist in that regard. This was one very specific reason for that feature’s being implemented and designed to work as it does.

The ever-inventive Mr. Kevin Frank, a well-known and long-time FileMaker developer, has suggested an alternative scripting approach in an entry on his BLOG: http://www.filemakerhacks.com/?p=2632

Fifth, and finally, there are some actions that can act directly on the KeyChain itself. The following Apple Event script was being cited several years ago in various forums as a method to delete FileMaker Pro KeyChains. I have not tested it extensively and do not make any specific warranties about it:

set my_name to name of window 1

tell application "Keychain Scripting"

launch

set my_keychains to (every keychain)

set {FM_keys, FM_names} to {{}, {}}

repeat with k in my_keychains

if name of k is not "System.keychain" and name of k is not "Microsoft_Intermediate_Certificates" then

unlock k

set my_keys to every generic key of k

repeat with i from 1 to count of my_keys

set key_type to creator type of item i of my_keys

if key_type is «class FMP7» then

set FM_name to name of item i of my_keys

if FM_name is my_name then

delete item i of my_keys

end if

end if

end repeat

-- lock k

end if

end repeat

end tell

There are several places where such a script might be run, including from within FileMaker Pro itself.

This is an interesting topic, and it’s one I raised in several places in FileMaker Security: The Book. I am going to take this under advisement again, and I may have more to say about it at a latter date.