How secure is the pasword

[Colin Greene]

I am working on a FileMaker db which contains a lot of personal information. Creating forms and account privileges to hide this data is ok, but how safe is the fp7 file password at log-on from hackers?

The files will sit on a secure part of the Server, but my user asked how safe is their Admin password from IS or others taking a peek?

Can anyone get a back door crack?

Any info welcome

[bcooney]

"The files will sit on a secure part of the Server" does not sound like you're using a FM Server. Files should not be shared without an FM Server or peer-to-peer FM setup.

[Steven H. Blackwell]

If someone has physical access to the files, they can be broken into unless the [Full Access] privileges are removed using the Developer utilities. Even then, if someone know a subordinate level Account and password and can access the file, unprotected data can be accessed.

Steven

[Colin Greene]

I think I understand: Are you saying if I employ a FM Server version this offers all the file protection i need?

Are there any issues I need to convey to IS about using FM on their Servers?

thanks Colin

[Steven H. Blackwell]

Are you saying if I employ a FM Server version this offers all the file protection i need?

No, especially since I have no idea what protection you actually do need. When I conduct risk and threat analyses for organizations, we spend a lot of time to get to the point of answering these questions:

1. What are the threats to the system?

2. What are the risks that the threats will occur?

3. What will be the impact of a breach?

When we have done all of ths, then we can say--based on the known vulnerabilities--what appropriate security should be for the system.

Steven.

[bcooney]

Forgive me if I'm being persistent about this, but do you intend to run FM Server on a dedicated box (good) or share a fileserver box (bad)? It sounds to me that you are not setting up a dedicated FM Server.

[Colin Greene]

This is clearly a complex issue which is rapidly getting outside my scope - I am not a Network person but have a working understanding.

I have designing the ID Card database which was going to sit on a dedicated PC/Laptop, but when IS got involoved they want to put the file and filemnaker programe on the company internet server and restrict access to the id people. They say its safer and more secure.

My boss asked me the question "how secure is the password protection" as she didn't want IS or anyone else having a peek at the personal data.

Its sensitive data in that there is enough information to steal the identify of a living person - not so good.

regards colin

[Steven H. Blackwell]

The answer is not good enough if you're storing really sensitive data in the files. Youmay need to look into encrypting the data at rest.

Running FileMaker Server on a shared machine lessens the overall security of the system, not increases it. You need to restrict physical access to the machine as well as restricting administrtive access to it.

If you have legal or regulatory requirements to meet here, have you done a formal risk and threat analysis? You probably should do so.

Steven

[Colin Greene]

Thanks Steven. I will feed this back and see what they want to do.

Its always good to throw in the litagation risk, so maybe IS will respond wisely.

CG