Fishbowl Security Basics
Hello, Fishbowl Blog readers! This is my first of, what I hope to be, many blog posts. My name is Aaron Wignall, and I am the IT Manager at Fishbowl Inventory. I’m somewhat of a unique IT Manager in that my training background is in Information Security, and not the nuts and bolts, necessarily, of IT. In fact, I recently obtained my CISSP (Certified Information Systems Security Professional) Certificate. What I’d like to do with my blog posts is to pass on some of my security knowledge, especially as it pertains to using Fishbowl. So please follow me and my posts here on the Fishbowl Inventory Blog! The first, and I hope most obvious, thing to do is to make sure your database is in a secure location (If you are a Hosted Fishbowl customer, these steps will be done for you). Your Fishbowl database is in a file <whatever you named it>.fdb and, by default, resides in C:\Program Files (x86)\Fishbowl\database\data. You can put your database file anywhere you want as long as you point Fishbowl to the right location (Database tab of Server options – server must be stopped to change). The trick is to put it in a folder that not everyone has access to. As much as we hate to think of the people we work with doing something malicious, it’s a real possibility. Your Fishbowl database has lots of valuable information about your customers, your inventory, your open SO’s, etc. and if a rogue employee copies that database and takes it with them, they have all the time in the world to crack passwords and get into it. Make sure the folder you have your database in is only accessible by the user running the Fishbowl Server (should be a user with administrative rights). The user that runs the Fishbowl Server should have a secure password that is known by as few people as possible, and, for good measure, should probably be changed periodically (your password change frequency should be based off your paranoia level, 30 days for the ultra-paranoid, 90+ for the relaxed hippies *smirk*). You’d think that would be enough, wouldn’t you! After securing your database, though, you need to secure your backup database! Fishbowl allows you to schedule a database backup, and to specify the folder to put it in. You need to secure that folder, as well. You can put it into the same folder, but you wouldn’t be maximizing the benefit of the backup! Try to move your backup to another physical drive, at least, so that if the drive with your main database makes like an IED and explodes, you can recover within minutes. Again, you still aren’t done. Another thing to keep in mind while securing your database: sometimes when we release new versions of Fishbowl, it upgrades your database to a new version, as well. When this happens, Fishbowl makes two different backups. One is a copy of the database; the other is a Firebird database dump. I like to call these the “Murphy’s Law backups” because you shouldn’t need them, and you won’t need them – until you don’t have them. They are created for rollback purposes during the upgrade. Leaving these unprotected is just as bad as leaving your main database unprotected. You can find these files in C:\Program Files (x86)\Fishbowl\database\data – inside the “old” and “backup” directories. Now your database is much safer. You will want to consider doing the same for your QuickBooks database ( <dbname>.qbw ) and related files! With QuickBooks, you have to make sure you allow access to the folder for the QuickBooks user as well. To determine which QuickBooks files to secure and back up, refer to the Intuit Website and this blog post by Doug Sleeter.