Jump to content

FM Security

jackal101

By jackal101
in Security Concepts

 Share

This topic is 2257 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies
jackal101 Rookie

jackal101

Posted
  • Newbies
Posted

Greetings,

There are plenty of discussions about security issues when creating a custom login screen. Can't I just remove the admin? Is that secure enough? 

or have two fmp files;  login.fmp and main.fmp and using the re-login script.

Josh Ormond Mentor

Josh Ormond

Posted
Posted

When it comes to security, anything with the word "just" is typically not enough.

Security has many layers that we need to consider. And all of it has to be weighed against the data we have, the risk of a breach, and the threat of said breach. Feel free to ask about specifics, I will outline a couple things that help us understand why its typically not wise to create a custom login screen. No doubt others will add to it.

  • Authentication - if they are in the file, you have already bypassed the first line of defense. And you have to take additional steps to ensure they can't perform unauthorized actions.
  • DDoS style attacks are much easier if you just let them in the file. They may not be able to get the data, if you have properly secured it using FileMaker's built in security privileges...but they can still crash the server.
  • It has been demoed fairly extensively that, while FileMaker's native security is very solid, custom login screens, more often than not, open a hole to allow someone to access the data.
  • If any of your security model relies on scripts executing, they can't be trusted. Someone can stop any script from running. This is not something you can prevent from happening. It's not a security threat in itself, but if the manipulation of a user's authorization or authentication rely scripts, it can be easily defeated.

https://community.filemaker.com/videos/1697

I know this thread about 2 Factor Authentication was long, but it's worth the read. In the end, you have to decide if a proven risk is worth the UI gain for something that is seen so infrequently.

  • Thanks 1
  • Newbies
jackal101 Rookie

jackal101

Posted
  • Author
  • Newbies
Posted

Thank you Josh.

Main concern is the admin or user that could modify the layout.. I tried to open fmp files using passkey, all accounts are there and i can delete all the password. 

Any negative effect if I will remove the admin account (Full access) ?

This topic is 2257 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept