Database copy protection best practice

[fishtech]

FM 8.5 and FMA8.5, all on Mac OSX 10.4.x

We have field-sales reps who need a local copy of our main CRM database on their company laptops. The database consists of about 25 tables across 4 files, approx 200Mb in total.

We need to look at the hypothetical possibility of a sales rep deserting us and going to another company, taking a copy of our CRM database.

What is the best way to lock down the database so it cannot be copied, or cannot be run on a non-approved machine.

I saw that get(systemNICaddress) could possibly be used in a startup script to check the current host against a list of approved NIC's, but I'm just wondering what others are doing in this area of security.

Thanks,

ft.

[Fenton]

I'm no expert on hardware security, but here's a little AppleScript which you can use to also get the Serial Number of the machine:

do shell script "system_profiler SPHardwareDataType | grep 'Serial Number'| cut -c 22-"

Another thing to consider, and perhaps you have, are restrictions in Accounts and Privileges. They should not have Export privileges, and menus available should be "Editing only" or "Minimum". You might want to remove Print also; any necessary printing should be scripted.

Another somewhat wacky idea. You could set a date beyond which nothing would work. If say once a month they had to have it "extended", that would provide some protection. If you included this restriction in Record-level viewing privileges, that would make all fields unreadable when it ran out. It would also slow down Finds, etc. however.

Finally, you should run the external files through FileMaker Advanced Tools, and strip out Full Access. Then they could not even be hacked (knock on wood). You would have to give them a new file to "extend" it however, as no one could modify the privileges, not even you. If they went past the deadline the file would be dead as a doornail.

If they are adding/modifying data, you'd have to synchronize (before it went dead as a doornail -), but that's a problem anyway you do it.

[dicksonlim88]

I have a question here, how can i strip out the [Full Access] ? I Already tried many times, but there is a error message says that the database must have a account using [Full Access].

[Steven H. Blackwell]

I have a question here, how can i strip out the [Full Access] ? I Already tried many times, but there is a error message says that the database must have a account using [Full Access].

You must use the developer tools in FileMaker Pro Advanced to do this.

Steven

[dicksonlim88]

Where the developer tools locate :)

[Steven H. Blackwell]

In FIleMaker Pro Advanced, either the 8.5 version or the 9 version.

Steven

[fishtech]

Fenton,

Thanks a lot for your reply. I really like the idea of using the Mac's serial number, but I coudn't get

do shell script "system_profiler SPHardwareDataType | grep 'Serial Number'| cut -c 22-"

to return anything. How can I use this to return a value which I can then use in a calculation?

Additionally, if I run

system_profiler SPHardwareDataType | grep 'Serial Number'| cut -c 22-

in terminal, I just get a blank line following the command, then back to the input prompt.

For now I am using a concatenation of

Get ( SystemNICAddress ) & Get ( SystemPlatform ) & Get ( SystemLanguage )

This works fine to ensure that the CRM can only be run on English Macs with a pre-defined NIC address. But I would really like to add the serial number into this calculation.

BTW, the date idea is good but would users be able to work around it simply by back-dating their Time & Date system preferences?

Thanks,

ft.

[jadenguy]

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

law 3

if they have their hands on every 0 and 1 in that database, the data is theirs with enough tenacity, unless you have really complex crypto involved, in which case you refer to law 7.

that said, i'd dynamically generate a customized stripped out version of the database that has only the information they need, along with the time thing to help weed out the dumbest of sales people, then other tricks to keep putting walls up. but like i said, if they have access to all the 0s and 1s, they have the data.

also consider:

http://craphound.com/msftdrm.txt

i can't say i'm some kind of security expert, and using sources that all have the word MICROSOFT in them in less than antagonizing portrayals is like talking about compassion and using stalin as an example, but these are bits of info i'd certainly think about.