Alpha Video Training
Results 1 to 17 of 17

Thread: Security Lockdown - suggestion

  1. #1
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Security Lockdown - suggestion

    I made a suggestion to Alpha to add a "security lockdown" option to their publishing process. I wanted to run the idea past the message board and see if you think it is a good idea or not.

    Background: when you in the process of creating a web application you need to publish web security files from your desktop to your server. As soon as you publish these files to your server, you have two sets of security files, one on your desktop, and one on the server.

    As soon as your web application goes live and the first user adds themselves to your online application, your server security files are DIFFERENT than your desktop files. Your server files are "live" in that they contain the most current list of users. Your desktop copy is "stale".

    If you were to publish your desktop security files to the server, accidently or on purpose, it would overwrite your "live" files, effectively deleting all of your users, or any users since your last backup, if you have one. All of them would have to re-register.

    Its very easy to overwrite your security files, just check the box that says Publish Web Security Data tables - a mistake you ARE going to make someday.

    Note - do make a daily backup of your online websecurity*.* files and your own users table. I use Cobain Backup 9 for all of my backup needs, see my website under Utilities.

    Anyway, I suggested Alpha add a "Lockdown" check box deep in the View > Settings area that, if checked, would prohibit publishing of any user-related security files and any tables you identified, like your local users table. A typical application would spend years in this lockdown condition.

    So is this Lockdown a good idea?
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  2. #2
    Moderator Steve Workings's Avatar
    Real Name
    Steve Workings
    Join Date
    Apr 2000
    Location
    The Dreaded Chair
    Posts
    5,596

    Default Re: Security Lockdown - suggestion

    Yes Steve, I agree it's a great idea. That plus more control over what files get published. Sometimes you just want to publish a single file of your choice, not all that stuff Alpha throws in. It shouldn't be hard for them to add some controls for such choices.
    -Steve


  3. #3
    VAR Dan Blank's Avatar
    Real Name
    Dan Blank
    Join Date
    Apr 2000
    Location
    Fort Worth, TX
    Posts
    995

    Default Re: Security Lockdown - suggestion

    I also agree. It is a great idea. The security files are too important to just "tick" a check box and then they get overwritten.
    Dan

    Dan Blank builds Databases
    Skype: danblank

  4. #4
    Moderator drgarytraub's Avatar
    Real Name
    Dr. Gary Traub
    Join Date
    May 2000
    Location
    Boca Raton, FL
    Posts
    2,768

    Default Re: Security Lockdown - suggestion

    Ditto - absolutely - I have already overwritten files before, and I do make daily backups of everything as well as the security files.

    But your suggestion, I think, is a no brainer ...

    Gary

  5. #5
    "Certified" Alphaholic Rich Hartnett's Avatar
    Real Name
    Richard Hartnett
    Join Date
    Nov 2002
    Location
    Bowie, MD
    Posts
    1,456

    Default Re: Security Lockdown - suggestion

    It's amazing how you read something on the message board, and it suddenly answers the question to a problem you've been having for quite a while.

    On one of my applications, I add the new users and assign them a "starter" password, and ask them to change it immediately. A while back I had users telling me that they would change their password online, and before they knew it, it had magically changed back to their starter password. I was pulling my hair out for months trying to figure out why this was happening, and was starting to think that it was a bug in the system. I got so frustrated with it, that I finally just told the users to tell me what they wanted their password to be, and I manually entered it into the backend of the system. I never had any problems when I did it that way.

    But now the light bulb has come on! I was doing my development work on my desktop computer, and when I would add a new user, I would enter their "starter" password, and would natually publish the Data Table for Users & Groups to add this new user. (I always noticed the warning about overwriting the existing user table, but I figured, "I'm adding a new user," so I have to overwrite/update the table right?")

    And now after reading Steve's initial post, I think I see what was happening. I was overwriting the server's User Data Table with the outdated one located on my desktop, which I'm sure, was replacing the passwords the users had changed online, with the original (starter) ones still stored in my desktop data table. The answer was right in front of me, yet I never saw it.

    Man I'm glad I now know why that was happening. It was driving me crazy, and I don't have much hair left to pull out!!

    YES - a lockdown is a great idea Steve!!
    Sergeant Richard Hartnett
    Hyattsville City Police Department
    Maryland

  6. #6
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Security Lockdown - suggestion

    Selwyn said this sounded like a good idea, but I have not heard back since. If YOU understand the issue presented here and believe as strongly as I do, please make a comment here.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  7. #7
    Member
    Real Name
    Michael Scholin
    Join Date
    May 2007
    Location
    Madison, WI
    Posts
    321

    Default Re: Security Lockdown - suggestion

    I don't mind saying that I have fallen victim to this situation . . . hmmm, . . . once or twice!

    It is confusing that there are a couple of security tables that are not in sync and it is way too easy to check that little box when publishing tables.

    I would bet that the amount of work it takes one of us to re-establish our client logins in a case like this would certainly be less time for an Alpha programmer to write code to prevent this from happening in the future.

    Great point Steve - Thanks!

  8. #8
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Security Lockdown - suggestion

    And to me, it is not really a Security Framework issue. It's a DO NOT PUBLISH these particular files issue -- the control should be at the Publish level. I'd have a dialog called Lockdown or just Do Not Publish and a checkbox for Security Users and Groups. If checked, no matter what, those files would not publish. A bonus would be the ability to flag specific tables in lockdown mode. I would not want to publish particular tables to a live application. I'm a little less concerned with tables because you can toggle publishing tables to be generally off, and then select only those tables you wish to publish. But if you select publish all, and accidently check the database box, you're dead meat.

    This very act is what prompted me to make the suggestion to Selwyn. I thought I was publishing All to Localhost, but published All to my server. I did lose one user that was not in my backup. Not a big loss, unless you are that one user.

    What I want protection against is that momentary slip-up where I, my client, or some assistant, slips up and publishes something that hoses the online application. The way I described it to Selwyn was, it really will be my fault if I slip-up and overwrite a live user list (which is very easy to do), but the fallout from such an act will reflect poorly on all parties, including Alpha.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  9. #9
    Moderator
    Real Name
    Alan Buchholz
    Join Date
    Oct 2000
    Location
    Delavan, Wisconsin
    Posts
    9,563

    Default Re: Security Lockdown - suggestion

    Has anyone tried publishing with windows server 2008/2009 (or whatever has the file versions functionality in it...) and determined if that helps the situation?

    Since the entire file is being replaced in the publish process, the fille versions may be a built in safety mechanism to help.

    For Windows versions without this functionality, we need to figure out a way to provide it...

    For those of you who have used the VAX operating system, you'll understand the power of the file version model.......
    Al Buchholz
    Bookwood Systems, LTD
    Weekly QReportBuilder Webinars Thursday 1 pm CST

    Occam's Razor - KISS
    Normalize till it hurts - De-normalize till it works.
    Advice offered and questions asked in the spirit of learning how to fish is better than someone giving you a fish.
    When we triage a problem it is much easier to read sample systems than to read a mind.

  10. #10
    Member Editor's Avatar
    Real Name
    Dave Shaw
    Join Date
    Nov 2008
    Location
    Cleveland, Ohio
    Posts
    230

    Default Re: Security Lockdown - suggestion

    Adding to the AGREE list, please ount me in. I'm a new guy and have had done that exact upload and messed my team up for the weekend because they could not log on.

    The alternate was spend a Sunday night fixing it. Protecting us from ourselves is always a good thing.
    David Shaw
    Manager of Media Services and User Support
    Cleveland Museum of Art
    Cleveland, Ohio

  11. #11
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Security Lockdown - suggestion

    In my capacity as Mentor or Support guy, I have to explain it all the time. "Why do my users keep disappearing?" is the common question. That's not so bad, its when a big company with thousands of users loses the whole list because some developer on their side, or even me, overwrites their userlist, and the backup failed.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  12. #12
    Member ColinJD's Avatar
    Real Name
    Colin Davies
    Join Date
    Jun 2006
    Location
    NZ
    Posts
    481

    Default Re: Security Lockdown - suggestion

    Great Idea.
    Whilst this hasn't happened to me, It is almost something that is the source of nightmares and thus losing sleep.

  13. #13
    Member Paul Velke's Avatar
    Real Name
    Paul Velke
    Join Date
    Jun 2005
    Location
    New Jersey
    Posts
    60

    Default Re: Security Lockdown - suggestion

    I agree. It also has not happened to me, but I see the potential for a problem in the future.

  14. #14
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Security Lockdown - suggestion

    What about storing al the security tables in a sql server that separates the problem with deploying the apps to the server. Maybe Alpha can create scripts for that. So you have development en production env. solves that the problem ?:)

  15. #15
    VAR John Oesterle's Avatar
    Real Name
    John Oesterle
    Join Date
    Apr 2000
    Location
    Midwest
    Posts
    236

    Default Re: Security Lockdown - suggestion

    I agree and feel Steve Working's suggestion has real merit also.

  16. #16
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Security Lockdown - suggestion

    My understanding, based on a communication from Alpha, is that this will be addressed in an upcoming patch, although not quite the same as suggested in this post. I know they have lots of other little issues with publishing, so not sure what else may be coming. I don't know if this thread "helped" to guide that development, but I bet it did.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  17. #17
    Member NicholasWieland's Avatar
    Real Name
    Nicholas Wieland
    Join Date
    Apr 2008
    Location
    Huntington, NY
    Posts
    546

    Default Re: Security Lockdown - suggestion

    Steve,

    Good Idea and as someone said Alpha would be wise to do so to protect us from ourselves! LOL

    Nicholas

Similar Threads

  1. Web security - bring back page security utility
    By Pat Bremkamp in forum Archived Wishlist
    Replies: 1
    Last Post: 05-30-2008, 12:40 PM
  2. Level Security and Group Security on single server
    By den1s in forum Application Server Version 8
    Replies: 4
    Last Post: 09-04-2007, 06:40 AM
  3. another suggestion
    By eeetee in forum Alpha Five Version 5
    Replies: 2
    Last Post: 01-29-2003, 05:45 PM
  4. Another V5 suggestion
    By Jamin Dunivan in forum Alpha Five Version 4
    Replies: 0
    Last Post: 09-19-2000, 06:57 AM
  5. V5 suggestion
    By Pat Bremkamp in forum Alpha Five Version 4
    Replies: 3
    Last Post: 04-24-2000, 01:19 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •