Newbies jackal101 Posted December 18, 2018 Newbies Share Posted December 18, 2018 Greetings, There are plenty of discussions about security issues when creating a custom login screen. Can't I just remove the admin? Is that secure enough? or have two fmp files; login.fmp and main.fmp and using the re-login script. Link to comment Share on other sites More sharing options...
Josh Ormond Posted December 18, 2018 Share Posted December 18, 2018 When it comes to security, anything with the word "just" is typically not enough. Security has many layers that we need to consider. And all of it has to be weighed against the data we have, the risk of a breach, and the threat of said breach. Feel free to ask about specifics, I will outline a couple things that help us understand why its typically not wise to create a custom login screen. No doubt others will add to it. Authentication - if they are in the file, you have already bypassed the first line of defense. And you have to take additional steps to ensure they can't perform unauthorized actions. DDoS style attacks are much easier if you just let them in the file. They may not be able to get the data, if you have properly secured it using FileMaker's built in security privileges...but they can still crash the server. It has been demoed fairly extensively that, while FileMaker's native security is very solid, custom login screens, more often than not, open a hole to allow someone to access the data. If any of your security model relies on scripts executing, they can't be trusted. Someone can stop any script from running. This is not something you can prevent from happening. It's not a security threat in itself, but if the manipulation of a user's authorization or authentication rely scripts, it can be easily defeated. https://community.filemaker.com/videos/1697 I know this thread about 2 Factor Authentication was long, but it's worth the read. In the end, you have to decide if a proven risk is worth the UI gain for something that is seen so infrequently. 1 Link to comment Share on other sites More sharing options...
Newbies jackal101 Posted December 18, 2018 Author Newbies Share Posted December 18, 2018 Thank you Josh. Main concern is the admin or user that could modify the layout.. I tried to open fmp files using passkey, all accounts are there and i can delete all the password. Any negative effect if I will remove the admin account (Full access) ? Link to comment Share on other sites More sharing options...
Josh Ormond Posted December 19, 2018 Share Posted December 19, 2018 If you turn on Encryption At Rest ( EAR ) in the developer tools, passkey can't open the file. Just don't forget that encryption password. https://fmhelp.filemaker.com/help/17/fmp/en/index.html#page/FMP_Help/encrypting-database-files.html Link to comment Share on other sites More sharing options...
Recommended Posts
This topic is 1948 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now