4D Security guide

About this guide

Security encompasses more than risk elimination and blocking unauthorized access or unlawful disclosure of information, it covers data loss prevention and protection against destruction. In this guide, we will go through 4D’s different security features that help you protect your databases.  We’ll also cover how to use 4D security to enforce your own specific security policies.

Overview

4D’s key features to protect your data from breaches, loss and failure events include:

  • Authentication: 4D supports built-in and customized authentication, as well as authentication via Active Directory and LDAP.
  • Access control with a low level authorization system: a built in user authorization system is included in 4D, allowing you to create groups with different levels of access to information in the database or to database operations.
  • Data Encryption: ensures the confidentiality of your data by encrypting tables that contain sensitive information, via code or user interface.
  • Backup and logs: tools to verify, maintain, and backup your data and file structure, ensuring data integrity in case of failure, data corruption or accidental deletion.
  • Server monitoring and administration: easily retrieve a list of processes and users, identify which users initiated a specific process, and disconnect idle users.

Authentication

Authentication is the process of verifying user credentials, usually based on a username and password. It’s recommended when accessing a database to ask for a login/password combination to associate a session with the authenticated user.

4D provides three different ways to authenticate accounts: 

  • Built-in authentication system: login and password checking. 
  • External authentication: 4D Server application can delegate the authentication to your Active Directory and get the Windows session login, which can be used to log a 4D user into an application via standard login method.
  • Customized system: 4D provides  a set of tools and commands to build a custom authentication system.

Built-in authentication

default accounts

Every database has two user accounts by default:

Designer is the most powerful account. It has control over the design of the database and can create users and groups, assign access privileges, and as well as use the Design environment. No aspect of the database is restricted from the Designer. Be sure to assign a strong password to this account to prevent any unauthorized access to your databases.

Administrator: this account is usually given the task of managing the access system. Considered as the next most powerful user after Designer.

These two accounts can’t be deleted, but you can rename them. In this case, you can distinguish between them via their icon colors: red for Designer and green for Administrator.

enable a default user

In order to create a default user for your database, a security option must be enabled. Once activated, you will be able to choose a “default user” from the drop down list on the Security page of the Database Settings. This option simplifies access to the database while maintaining full control over user actions.

It’s recommended when enabling a default user with a required password to uncheck  the “The user can change their password” option on the Security page of the Database Settings. This hides the “Change” button and prevents users from modifying their passwords.

Create accounts

You can create new users from the Toolbox in the Design menu. Simply choose a name and a temporary password. When the new user logs, they will have the opportunity to modify their password and enter a new one.

If users forget their passwords, only the Designer or the Administrator can set new passwords for them.

External authentication

4D Server supports external authentication by taking advantage of SSO (Single Sign On) capabilities in Windows. It allows users to access a 4D application on Windows without needing to reenter their passwords when they’re already logged into their company’s Windows domain (using Active Directory).

To enable external authentication you need to set the “Authentication of user with domain server” option on the Client-Server/Network option page in the Database Settings.

4D supports both NTLM and Kerberos protocols. The protocol used is automatically selected by 4D depending on the current configuration, and 4D always selects the most secure protocol whenever possible.

Keep in mind that SSO only provides an authenticated login; it’s up to you to pass this login to your standard 4D login method. 

Custom authentication

If the 4D built-in authentication system doesn’t fit your needs, you can always build your own customized system by storing your users and password hashes in a dedicated table. 4D provides you two security-oriented functions to store a password hash, as well as making sure the stored hash matches the given password. When using these functions, passwords are never stored in the database, this ensures a good level of security. Additionally, both commands are based on the bCrypt algorithm which is slow by design. Thus, making it resistant to brute force attacks and minimizing potential impacts.

Data Access System

activate access control

It’s always recommended to control database access, especially when there is more than one user. 4D’s access control system is based on users and groups. After creating users, you can put them into groups, and assign each group the appropriate access rights. Groups can be assigned access privileges to specific operations.

The access system is not activated by default, therefore anyone can access your database. In order to activate this system, you should assign a password to the Designer account, then all the access privileges you have assigned to forms, menus, and methods will take effect. In order to open the database, users must enter a password.

assigning privileges

Every 4D database contains the following predefined options to control data access:

  • Design Access: all users have access to the application. However, you can restrict access to the Design mode. This option allows you to give a specified group the ability to enter the Design environment of the database. By default, the Designer and Administrator accounts always have access to the Design environment.
  • Filtering of commands and project methods (in the formula editor and 4D Write Pro documents): by default, 4D restricts access to the commands, functions and project methods in Application mode and expressions used in 4D Write Pro documents.

Limit access through form control

You can use forms to control user’s view of data and access to features by setting Access and Owner privileges for forms to user groups. You can also provide fully customized interfaces to give users tools and features according to their privileges.

 data encryption

4D allows you to encrypt data at the database level – on a per-table basis. Encryption converts data into an unreadable, encoded format to protect its confidentiality. The data remains illegible until it is decrypted, using the correct valid encryption key.

why encrypting data

In addition to confidentiality and integrity, there are other needs 4D encryption addresses. For example, while not strictly required by GDPR, encryption is recommended. It also makes processes such as backups in the cloud possible, since the contents are encrypted. Also, delegating full access to encrypted data is granted only to designated persons. A database can be hosted externally in total security, thanks to the data file being encrypted.

Encryption key

When encrypting a data file for the first time, you have to provide a passphrase – the passphrase is used to generate the encryption key. A passphrase is a more secure version of a password. For subsequent actions requiring the encryption key, you can enter the passphrase, or connect a USB device which contains the encryption key. During the session, 4D maintains a list of provided encryption keys in memory.

Selecting tables to encrypt

When encrypting data in 4D, the first step is to designate the tables that you want to encrypt in the Structure Editor. Typically, only tables containing confidential or personal data is selected. This encourages grouping sensitive information into targeted tables.

Encrypting data file

Data file encryption can be monitored using the MSC or with dedicated commands. Everything is completely automatic, transparent, and fast.

Encrypt via the MSC 

The new Encrypt page in the Maintenance and Security Center offers all of the available encryption actions: encrypt, re-encrypt, and remove encryption.

Encrypt via the language

In addition to the MSC, you can also manage customized encryption with the Encrypt data file() command. 

High-level built-in protection

4D Server

4D Server is an integrated client/server development system, optimized to build robust business applications with an embedded database. While 4D can send out data (with standards such as HTTP, SOAP, ODBC or OCI) and/or can be accessed from externally (via HTTP/HTTPS, SOAP, ODBC/SQL), its primary interactions are based on the internal 4D development language along with a proprietary network protocol between the client and the server. The direct link between the development language and the network communication protocol allows a high level, built-in protection to avoid typical attack scenarios such as SQL injection or buffer overflow.

4D language

The 4D language is a powerful and mature language, perfectly designed to build business application systems. It consists of more than 1,500 commands, covering database operations (order by, query, creating, transactions, and so on), printing, communicating with other devices or computers, document management, window/user interface commands, and much more. 

The language itself is tokenized, even in interpreted (development or prototyping) mode. It’s never executed as a text evaluation.

Database Compilation

One of the benefits of code compilation is application protection. In 4D, once you have compiled your database, you can use the application builder to erase the interpreted code. In this case, access to the Design environment (except records) is blocked, and development commands are disabled.

Web server

4D features its own built-in HTTP Server, a powerful, multi-threaded server for both static and dynamic content. The tight integration has a dramatic impact on increased security.

Besides better code security, this removes the typical “forgotten update” problem. As everything is integrated, there’s only one software package to update (see “Software Updates” section for additional details). Standard solutions require a huge amount of software packages to update: from PHP, OpenSSL, Apache, NodeJS, and so on… Everything needs regular updates and it’s common that some parts stay unpatched for a long time, especially if used as a department solution, without a specialized IT team.

Web requests trigger 4D code, which responds on the business application level, not just the database level. This tight integration enables control over every request, using built-in authorization or customized implementations, with TLS encryption (see “Enable TLS encryption” section for more information).

The build-in HTTP Server also allows fine-tuned settings, i.e. for a REST Server.

SOAP/ Web Service server

Similar to the HTTP Server, a SOAP Server is built-in, allowing detailed access control, based on business objects (not just database level).

SQL server

While data access for 4D Remote, by default, goes through a proprietary protocol, SQL access (natively or via ODBC), is also supported. SQL access to the database level can be controlled with a password system, SQL schemas, and fine-tuned using SQL views.

Use triggers to enhance security

Triggers are automatically fired by the 4D database engine every time a manipulation event occurs on a table record (add, delete or modify). It’s a very powerful tool since triggers can prevent illegal operations or accidental data loss/tampering, as well as restricting table operations. For example, in an invoicing system, you can prevent the addition of an invoice if the billing party is not specified.

Deletion control

This technique enforces what is called Referential Integrity, which means that table relationships must always be consistent. A foreign key field must agree with a primary key that is referenced by the foreign key. Thus, the Deletion Control option regulates record deletion in the Many table when a record is deleted in the One table. Normally, users can only delete records in the current table.

network security

enable TLS encryption

TLS is a cryptographic protocol that provides secure communications over a computer network. Its primary aim is to provide privacy and data integrity between two communicating computer applications.

4D Web Server can communicate securely via TLS. It’s highly recommended to avoid unencrypted communications, and it’s up to the developer to deny or redirect requests made in a non-secure manner. All you need is a TLS certificate, either purchased or by an open certificate authority like Let’s encrypt.

For the 4D server, when using TLS, connections with clients are secured in a way that intercepted data cannot be viewed by software that is monitoring your network. Exchanged information can be secured with either a predefined key (no SSL certificate required) or a (purchased or free) TLS certificate, as used with the 4D Web Server.

To activate encryption of 4D Client/Server communications, go to the Client-Server/Network options page of the Database Settings and check the option “Encrypt Client/Server Connections”. To do the same for web connections, go to the Web/Configuration page of the Database Settings and check the “Enable TLS” option.

enable pfs (perfect forward secrecy)

Perfect Forward Secrecy (PFS) is a property of key agreement protocols ensuring that a session key derived from a set of long term keys cannot be compromised if one of these keys is compromised in the future.

PFS is enabled by default in 4D Web Server. To benefit from PFS, you need to make sure that the TLS protocol is enabled and that your cipher list contains one or more ECDHE or DHE (which is true by default). PFS uses a DHparameter file that is automatically created by 4D if not present.

enable HSTS (HTTP Strict Transport Security)

HTTP Strict Transport Security (HSTS) is a security policy that requires communications to take place over HTTPS and prevents communications over HTTP. HSTS ensures that the entire communications channel is encrypted before data is sent, thus blocking attacks to read or modify the data in transit.

cryptographic operations with CryptoKey class

4D provides CryptoKey class so you can implement security features such as signature and verification, encryption, and decryption. It provides a way to protect the confidentiality of your data, as well as verify the integrity of messages, and the authenticity of the sender.

It could be used for:

  • Confidentiality: protect data from unauthorized access.
  • Integrity: ensure data is complete and correct. 
  • Authenticity: validate the authenticity of a message sender/recipient.

Backup and log system

Transactional-based logs

4D provides an out-of-the-box transactional-based log system. Every data modification operation is logged and can be rolled back if necessary. In case of an emergency, transactions can be restored – nothing is lost. In case of an interruption, the database is automatically reviewed upon restart and any missing operations (i.e. those in memory, not stored to disk yet) are restored, to return the database to its prior state. Even in case of total data corruption (i.e. bad disk, etc.…), the data file is automatically restored from the last full backup and a journal (transaction log file) including the most recent work is integrated.

The journal can also be useful in case of accidental deletion as well, both for forensic and data recovery.

Standard backups are part of the 4D product, no additional licensing is required, just an additional hard disk (in case of disk failures).

In 24/7 environments, 4D supports cascaded and/or star mirror systems. A production, a mirror, and a secondary mirror build a cluster of systems providing services around the clock. An additional mirror system could be run in another city (or cloud) to protect the data even in the event of an extreme disaster.

Virtual machine snapshot (VSS writer)

In addition to transactional-based logs, 4D supports snapshots of virtual machines, with a dedicated VSS writer application that automatically manages snapshot requests for virtualized applications sent through Windows’s Volume Shadows Copy Service (VSS).

 4D automatically installs a VSS writer service. When the virtual machine administrator begins a snapshot using VMWarev for instance, VMWare informs the guest, which in turn informs the VSS writer, which will then inform 4D Server to flush the cache and wait for one second. Then it will inform the OS that the .4DD, .4DIndx and .Journal files belong together and must be snapshotted at the same time. The OS will handle this and 4D Server can continue to handle client requests. The “freeze” incurred by the snapshot lasts around a second and generally goes unnoticed by connected users.

The Monitor Page of the 4D Server Administration Window displays the status of the VSS writer service, in the Application information area.

Note: Keep in mind that a snapshot doesn’t replace a backup.

Software Updates

All-in-one update

Today’s software might be a complex combination of software products, database servers, middleware, application servers, web servers, and more. It’s easy to forget to keep everything up-to-date, like an OpenSSL DLL for instance. Far too often, people forget (or ignore reminders) to update their software. Understandable since it can be time-consuming.

4D reduces this problem in many ways, not just helping admins with their daily lives, but also minimizing the risks by design.

As an integrated all in one solution, everything is installed in a single folder. It can be replaced with a simple drag and drop operation, so your business applications are updated in a single step. Nothing can be missed.

Server updates can be fully automatic. The process is neither controlled nor forced by 4D itself, it’s completely in the hands of the solution developers.

Client minimum version

In Client/Server applications, you can designate on the server-side, the client minimum version allowed to connect to it. This is useful, for example, when you update the server and don’t want to allow older clients to connect (for security reasons). In this case, earlier versions of the Client application will be rejected and prompted to upgrade (which can be done automatically as well).

Other security considerations

Use strong passwords

The first step towards a secure system is the use of strong passwords. No matter how many protections are placed around your server, there’s always an access method: your password. There are countless programs that attempt to determine passwords, either by guessing common combinations or by randomly generating possibilities and trying them all, or both.

The best defense is a strong password, i.e. a combination of numbers, uppercase letters, lowercase letters, and, if possible, other characters. This makes passwords nearly impossible to guess in a reasonable amount of time.

Test your access system

Once your accounts are set, you should consider defining an access system and testing the privileges. Continuously evaluating your system makes sure your data is protected, especially if/when new functionalities are added.

Encrypted hard drives

An entirely encrypted hard drive can also provide strong protection. Employing hardware solutions like encrypted SSDs or software like BitLocker (Windows) or FileVault (Mac) is always a good idea. Self-encrypting drives use an encryption engine built into the SSD’s controller to encrypt every file. Due to the inherently faster technology in SSDs, you can perform everyday storage tasks much faster than a hard drive, while simultaneously improving data security.