Wednesday, August 13, 2008

Securing Free Table Data

Security is a concern of every network administrator and software developer. The security of information and the servers on which it resides is critical. Advantage has many features which insure data security through encryption which ensures that only Advantage can read the data. However, there are several ways to restrict access to the data using the Operating System and other Advantage Features.

Using a Service Account

Service Account ConfigurationOne of the easiest and most effective configuration changes you can make is creating a specific account for the Advantage Service. By default the Advantage services uses the SYSTEM user account, a built-in account with access to all drives on the system. By creating a specific account you can limit access to specific file locations on the server.

For example the SYSTEM account has full access to the root drive. By using a specific user for Advantage the file system rights can be much more restrictive only allowing Advantage users to access specific folders on the server.

Once a service account has been created and assigned to the appropriate group(s) it can be used by Advantage. This is done by opening the properties of the Advantage Service and specifying the account on the Log On tab (pictured).

Network Operating System Rights

Advantage uses Network Operating System (NOS) rights for determining if users can access specific files by default. Therefore specific rights must be granted to users before they can access files on the server. This method requires some additional overhead in checking these rights for each user which connects. It also requires additional management since each user must be assigned to a specific group or granted rights to the data folders.

Advantage can also ignore the NOS rights and open the file for any Advantage user. This does not require an additional check to the OS before opening the file. It also allows for easier administration since the data folders do not need any specific rights, other than the Advantage service account, granted to users. This is a very useful technique if you need to provide direct access to the files for specific groups while allowing other groups to only access the data through Advantage.

Using Server-Side Aliases

Server-side aliases were introduced in version 8.0 of Advantage and provide a mechanism for hiding data from the users. Once the alias is defined in the server.ini file it can be used as a data path by an application. Instead of connecting to a data share you specify the alias name instead.

The path to the alias gets resolved by Advantage and therefore there is no need to share the folder where the data is stored. This ensures that the data cannot be opened through the network without going through Advantage. You can get more information about server-side aliases in this tech-tip.

Data Dictionaries

There additional options for security when using Data Dictionaries. Database users and groups can be created within the dictionary and assigned rights to individual objects within the dictionary. I will discuss the various options for data dictionaries in my next post.

No comments: